From f2d3298f14c4d71d973a7e82c2f0e76bb307ab9c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 Jan 2023 13:54:52 -0500 Subject: [PATCH 001/470] allow nodes to connect to salt for manager and managersearch --- salt/firewall/assigned_hostgroups.map.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 6e249ec93..2950dc8be 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -133,6 +133,15 @@ role: localhost: portgroups: - {{ portgroups.all }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: + portgroups: + - {{ portgroups.salt_manager }} managersearch: chain: DOCKER-USER: @@ -196,6 +205,15 @@ role: localhost: portgroups: - {{ portgroups.all }} + sensors: + portgroups: + - {{ portgroups.salt_manager }} + searchnodes: + portgroups: + - {{ portgroups.salt_manager }} + heavynodes: + portgroups: + - {{ portgroups.salt_manager }} standalone: chain: DOCKER-USER: From 75d73e4620aeac460e98f0f48317b4e8b6ef2707 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 Jan 2023 15:35:22 -0500 Subject: [PATCH 002/470] add yum portgroups for amnager --- salt/firewall/assigned_hostgroups.map.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index fc0a629e7..3fd3fd1f3 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -87,16 +87,19 @@ role: - {{ portgroups.beats_5644 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.yum }} searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} + - {{ portgroups.yum }} heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} + - {{ portgroups.yum }} self: portgroups: - {{ portgroups.syslog}} @@ -161,14 +164,17 @@ role: - {{ portgroups.beats_5644 }} - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} + - {{ portgroups.yum }} searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.yum }} heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.yum }} self: portgroups: - {{ portgroups.syslog}} From d5b5a36f28521a12e08e34097bd2cbd54849339b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 26 Jan 2023 16:17:33 -0500 Subject: [PATCH 003/470] remove data.nodestab from searchnodes pillar --- pillar/top.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/pillar/top.sls b/pillar/top.sls index 87cab8c29..d383f963a 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -155,7 +155,6 @@ base: - adv_global - minions.{{ grains.id }} - minions.adv_{{ grains.id }} - - data.nodestab '*_receiver': - logstash From 716ec7f9362e658c4ecb96069f3a52e504011c49 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 11:02:44 -0500 Subject: [PATCH 004/470] Change event.dataset value from 'files' to 'file' --- salt/elasticsearch/files/ingest/zeek.files | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.files b/salt/elasticsearch/files/ingest/zeek.files index 105bbd326..7ce7f9ed5 100644 --- a/salt/elasticsearch/files/ingest/zeek.files +++ b/salt/elasticsearch/files/ingest/zeek.files @@ -1,7 +1,7 @@ { "description" : "zeek.files", "processors" : [ - { "set": { "field": "event.dataset", "value": "files" } }, + { "set": { "field": "event.dataset", "value": "file" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.fuid", "target_field": "log.id.fuid", "ignore_missing": true } }, From 2772b03dca6028c3438c571ec533b34d5948176a Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 11:03:49 -0500 Subject: [PATCH 005/470] Change event.dataset value from 'tunnels' to 'tunnel' --- salt/elasticsearch/files/ingest/zeek.tunnels | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/zeek.tunnels b/salt/elasticsearch/files/ingest/zeek.tunnels index 84fddcda1..934f26beb 100644 --- a/salt/elasticsearch/files/ingest/zeek.tunnels +++ b/salt/elasticsearch/files/ingest/zeek.tunnels @@ -1,7 +1,7 @@ { "description" : "zeek.tunnels", "processors" : [ - { "set": { "field": "event.dataset", "value": "tunnels" } }, + { "set": { "field": "event.dataset", "value": "tunnel" } }, { "remove": { "field": ["host"], "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.tunnel_type", "target_field": "tunnel.type", "ignore_missing": true } }, From 6b251a25965dc72422df1538e6a60a07691e766d Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 11:30:06 -0500 Subject: [PATCH 006/470] Change 'pipeline' to 'import.file' so that ICS tag conditional is applied to the correct field --- salt/common/tools/sbin/so-elastic-fleet-integration-policy-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index f409d9a17..2cded3941 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -41,7 +41,7 @@ echo # Set Import - Zeek logs echo echo "Setting up Zeek Import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"" } } } } } }' # Strelka logs echo "Setting up Strelka package policy" curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' From f49627cec109924ebe8fa1b941e35e462b88d1e9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 11:47:14 -0500 Subject: [PATCH 007/470] Update Zeek file exclusions and add a minor output formatting change --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 2cded3941..a56740f56 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -29,7 +29,8 @@ echo # Set up Zeek logs echo echo "Setting up Zeek package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"(broker | capture_loss | loaded_scripts | packet_filter | stats | stderr | stdout).log$\"]\n" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"] +\n" } } } } } }' echo # Import - Suricata @@ -41,7 +42,10 @@ echo # Set Import - Zeek logs echo echo "Setting up Zeek Import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"] +\n" } } } } } }' +echo + # Strelka logs echo "Setting up Strelka package policy" curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' From e47f64bd0444e5ababa75d86a38133861e9e4ff4 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 12:00:30 -0500 Subject: [PATCH 008/470] Change event.category from 'file' to 'network' --- salt/common/tools/sbin/so-elastic-fleet-integration-policy-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index a56740f56..538df500e 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -36,7 +36,7 @@ echo # Import - Suricata echo echo "Settings up Suricata import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: file\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' echo # Set Import - Zeek logs From 68fac4488e2f038f13d31368523c7277f1c2d3aa Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 15:27:15 -0500 Subject: [PATCH 009/470] Fix syntax for Zeek integration policies --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 538df500e..72d0e9073 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -29,8 +29,7 @@ echo # Set up Zeek logs echo echo "Setting up Zeek package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"] -\n" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo # Import - Suricata @@ -42,8 +41,7 @@ echo # Set Import - Zeek logs echo echo "Setting up Zeek Import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"] -\n" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo # Strelka logs From b160d0add588480776f58d2128c9e63b3e7f58c9 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 27 Jan 2023 15:45:58 -0500 Subject: [PATCH 010/470] Fix typos in so-elastic-fleet-integration-policy-load --- .../so-elastic-fleet-integration-policy-load | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 72d0e9073..b7f7f562d 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -11,7 +11,6 @@ {%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) %} wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" -## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') @@ -20,32 +19,32 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http: echo echo "Setting up default Security Onion package policies for Elastic Agent..." -# Set up Suricata logs +# Suricata logs echo echo "Setting up Suricata package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "suricata-logs", "name": "suricata-logs", "description": "Suricata integration", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/suricata/eve*.json" ], "data_stream.dataset": "suricata", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata", "custom": "pipeline: suricata.common" }}}}}}' echo -# Set up Zeek logs +# Zeek logs echo echo "Setting up Zeek package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo -# Import - Suricata +# Import - Suricata logs echo -echo "Settings up Suricata import package policy..." +echo "Setting up Suricata import package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "import-suricata-logs", "name": "import-suricata-logs", "description": "Import Suricata logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/suricata/eve*.json"], "data_stream.dataset": "import", "tags": [], "processors": "- add_fields:\n target: event\n fields:\n category: network\n module: suricata\n imported: true\n- dissect:\n tokenizer: \"/nsm/import/%{import.id}/suricata/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"", "custom": "pipeline: suricata.common" } } } } } }' echo -# Set Import - Zeek logs +# Import - Zeek logs echo -echo "Setting up Zeek Import package policy..." +echo "Setting up Zeek import package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo # Strelka logs -echo "Setting up Strelka package policy" +echo "Setting up Strelka package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' echo @@ -75,7 +74,7 @@ echo # Elasticsearch logs echo -echo "Seting up Elasticsearch package policy..." +echo "Setting up Elasticsearch package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "elasticsearch", "version": "1.0.0" }, "id": "elasticsearch-logs", "name": "elasticsearch-logs", "description": "Elasticsearch Logs", "namespace": "default", "inputs": { "elasticsearch-logfile": { "enabled": true, "streams": { "elasticsearch.audit": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_audit.json" ] } }, "elasticsearch.deprecation": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_deprecation.json" ] } }, "elasticsearch.gc": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/gc.log.[0-9]*", "/var/log/elasticsearch/gc.log" ] } }, "elasticsearch.server": { "enabled": true, "vars": { "paths": [ "/opt/so/log/elasticsearch/*.log" ] } }, "elasticsearch.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/elasticsearch/*_index_search_slowlog.json", "/var/log/elasticsearch/*_index_indexing_slowlog.json" ] } } } }, "elasticsearch-elasticsearch/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9200" ], "scope": "node" }, "streams": { "elasticsearch.stack_monitoring.ccr": { "enabled": false }, "elasticsearch.stack_monitoring.cluster_stats": { "enabled": false }, "elasticsearch.stack_monitoring.enrich": { "enabled": false }, "elasticsearch.stack_monitoring.index": { "enabled": false }, "elasticsearch.stack_monitoring.index_recovery": { "enabled": false, "vars": { "active.only": true } }, "elasticsearch.stack_monitoring.index_summary": { "enabled": false }, "elasticsearch.stack_monitoring.ml_job": { "enabled": false }, "elasticsearch.stack_monitoring.node": { "enabled": false }, "elasticsearch.stack_monitoring.node_stats": { "enabled": false }, "elasticsearch.stack_monitoring.pending_tasks": { "enabled": false }, "elasticsearch.stack_monitoring.shard": { "enabled": false } } } } }' echo From 8240e5b20d151fa9d4aec7f776d0fdd1de95ef1c Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 27 Jan 2023 16:46:43 -0500 Subject: [PATCH 011/470] Remove 'prospector.scanner' prefix from 'exclude_files' configuration --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index b7f7f562d..ad82c8892 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -28,7 +28,7 @@ echo # Zeek logs echo echo "Setting up Zeek package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo # Import - Suricata logs @@ -40,7 +40,7 @@ echo # Import - Zeek logs echo echo "Setting up Zeek import package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "prospector.scanner.exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "import-zeek-logs", "description": "Zeek Import logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/import/*/zeek/logs/*.log"], "data_stream.dataset": "import", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/zeek/logs/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"import.file\").slice(0,-4);\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n imported: true\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n import.file: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo # Strelka logs From cc100e50cdf73e4514a0f5d29dbd90083cc81209 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 30 Jan 2023 21:09:58 +0000 Subject: [PATCH 012/470] Update so-import-evtx to convert EVTX to a JSON file instead of streaming to Elasticsearch --- salt/common/tools/sbin/so-import-evtx | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 0b6bd8383..3461e912a 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -32,24 +32,14 @@ function evtx2es() { EVTX=$1 HASH=$2 - ES_PASS=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch") - ES_USER=$(lookup_pillar "auth:users:so_elastic_user:user" "elasticsearch") - docker run --rm \ - -v "$EVTX:/tmp/$RUNID.evtx" \ - --entrypoint evtx2es \ - {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} \ - --host {{ MANAGERIP }} --scheme https \ - --index so-beats-$INDEX_DATE --pipeline import.wel \ - --login $ES_USER --pwd "$ES_PASS" \ - "/tmp/$RUNID.evtx" >> $LOG_FILE 2>&1 - - docker run --rm \ - -v "$EVTX:/tmp/import.evtx" \ + -v "$EVTX:/tmp/data.evtx" \ + -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ - --entrypoint '/evtx_calc_timestamps.sh' \ - {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} + -v /root/entrypoint.sh:/entrypoint.sh:ro \ + --entrypoint "/entrypoint.sh" \ + {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 } # if no parameters supplied, display usage From 01567846870785324cb88b54e97b617359873884 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 30 Jan 2023 21:22:37 +0000 Subject: [PATCH 013/470] Add EVTX integration policy for 'so-import-evtx' --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index ad82c8892..e82011896 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -31,6 +31,13 @@ echo "Setting up Zeek package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "name": "zeek-logs", "description": "Zeek logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": ["/nsm/zeek/logs/current/*.log"], "data_stream.dataset": "zeek", "tags": [], "processors": "- dissect:\n tokenizer: \"/nsm/zeek/logs/current/%{pipeline}.log\"\n field: \"log.file.path\"\n trim_chars: \".log\"\n target_prefix: \"\"\n- script:\n lang: javascript\n source: >\n function process(event) {\n var pl = event.Get(\"pipeline\");\n event.Put(\"@metadata.pipeline\", \"zeek.\" + pl);\n }\n- add_fields:\n target: event\n fields:\n category: network\n module: zeek\n- add_tags:\n tags: \"ics\"\n when:\n regexp:\n pipeline: \"^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*\"", "custom": "exclude_files: [\"broker|capture_loss|ecat_arp_info|loaded_scripts|packet_filter|stats|stderr|stdout.log$\"]\n" } } } } } }' echo + +# Import - EVTX +echo +echo "Setting up EVTX import package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{ "package": { "name": "log", "version": "1.1.0" }, "name": "import-evtx-logs", "namespace": "so", "description": "Import Windows EVTX logs", "policy_id": "so-grid-nodes", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/import/*/evtx/data.json" ], "data_stream.dataset": "import", "custom": "pipeline: import.wel", "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- add_fields:\n target: event\n fields:\n module: windows_eventlog\n imported: true", "tags": [] } } } } } }' +echo + # Import - Suricata logs echo echo "Setting up Suricata import package policy..." @@ -44,6 +51,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POS echo # Strelka logs +echo echo "Setting up Strelka package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' echo From 5472f53c9f45ab86d2d93cc7511512326a64edc5 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 30 Jan 2023 21:24:30 +0000 Subject: [PATCH 014/470] Remove bind mount and reference the correctly named entrypoint script --- salt/common/tools/sbin/so-import-evtx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 3461e912a..edb0a08a8 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -37,8 +37,7 @@ function evtx2es() { -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/evtx-start_oldest:/tmp/oldest" \ - -v /root/entrypoint.sh:/entrypoint.sh:ro \ - --entrypoint "/entrypoint.sh" \ + --entrypoint "/evtx_calc_timestamps.sh" \ {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} >> $LOG_FILE 2>&1 } From 0436f885b853012a70675412cf9b689d1a90361e Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 31 Jan 2023 08:04:49 -0500 Subject: [PATCH 015/470] Set values for '@timestamp' and 'event.ingested' --- salt/elasticsearch/files/ingest/import.wel | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/files/ingest/import.wel b/salt/elasticsearch/files/ingest/import.wel index e75098f8f..d03cd34e4 100644 --- a/salt/elasticsearch/files/ingest/import.wel +++ b/salt/elasticsearch/files/ingest/import.wel @@ -1,10 +1,11 @@ { "description" : "import.wel", "processors" : [ - { "remove": { "field": ["event.created","timestamp", "winlog.event_data.UtcTime", "event_record_id"], "ignore_failure": true } }, - { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, - { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, - { "dissect": { "field": "log.file.name", "pattern" : "/tmp/%{import.id}.evtx" } }, - { "pipeline": { "name": "common" } } + { "set": { "field": "event.ingested", "value": "{{ @timestamp }}" } }, + { "set" : { "field" : "@timestamp", "value" : "{{ event.created }}" } }, + { "remove": { "field": [ "event_record_id", "event.created" , "timestamp" , "winlog.event_data.UtcTime" ], "ignore_failure": true } }, + { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, + { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, + { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +} From a44d83d69b891d344ab6502645d3b0b689fe4bde Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 31 Jan 2023 08:33:38 -0500 Subject: [PATCH 016/470] Improve Suricata DHCP parsing and dashboard --- salt/elasticsearch/files/ingest/suricata.dhcp | 20 ++++++++++--------- salt/soc/defaults.yaml | 2 +- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.dhcp b/salt/elasticsearch/files/ingest/suricata.dhcp index 9ecc41837..46eb9cde4 100644 --- a/salt/elasticsearch/files/ingest/suricata.dhcp +++ b/salt/elasticsearch/files/ingest/suricata.dhcp @@ -1,15 +1,17 @@ { "description" : "suricata.dhcp", "processors" : [ - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, - { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, - { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "message2.app_proto", "target_field": "network.protocol", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.assigned_ip", "target_field": "dhcp.assigned_ip", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_ip", "target_field": "client.address", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.client_mac", "target_field": "host.mac", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.dhcp_type", "target_field": "dhcp.message_types", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.hostname", "target_field": "host.hostname", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.type", "target_field": "dhcp.type", "ignore_missing": true } }, + { "rename": { "field": "message2.dhcp.id", "target_field": "dhcp.id", "ignore_missing": true } }, + { "set": { "if": "ctx.dhcp?.type == 'request'", "field": "server.address", "value": "{{destination.ip}}" } }, + { "set": { "if": "ctx.dhcp?.type == 'reply'", "field": "server.address", "value": "{{source.ip}}" } }, { "pipeline": { "name": "common" } } ] } diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index cec11273b..d340b1f68 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1430,7 +1430,7 @@ soc: query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: DHCP description: DHCP (Dynamic Host Configuration Protocol) leases - query: 'event.dataset:dhcp | groupby host.hostname | groupby host.domain | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address' + query: 'event.dataset:dhcp | groupby host.hostname | groupby dhcp.message_types | groupby -sankey client.address server.address | groupby client.address | groupby server.address | groupby host.domain' - name: DNS description: DNS (Domain Name System) queries query: 'event.dataset:dns | groupby dns.query.name | groupby dns.highest_registered_domain | groupby dns.parent_domain | groupby -sankey source.ip destination.ip | groupby dns.answers.name | groupby dns.query.type_name | groupby dns.response.code_name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' From 8dc7a9da9e6dfa5c7bb11233c246bdc588386a6b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 10:52:35 -0500 Subject: [PATCH 017/470] add searchnode global vars --- salt/vars/searchnode.map.jinja | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/vars/searchnode.map.jinja diff --git a/salt/vars/searchnode.map.jinja b/salt/vars/searchnode.map.jinja new file mode 100644 index 000000000..2efabefed --- /dev/null +++ b/salt/vars/searchnode.map.jinja @@ -0,0 +1,15 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set STANDALONE_GLOBALS = + [ + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in STANDALONE_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} From e09a86dc3067f9299451d4df4c62b68b3e4f8eb7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 10:54:40 -0500 Subject: [PATCH 018/470] 2.4 searchnode es config --- pillar/logstash/nodes.sls | 2 +- pillar/top.sls | 2 ++ salt/elasticsearch/config.map.jinja | 10 +++++----- salt/elasticsearch/init.sls | 6 +++--- salt/logstash/map.jinja | 30 +++++++++++++++++------------ 5 files changed, 29 insertions(+), 21 deletions(-) diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 18c4b39bf..adf43156e 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -2,7 +2,7 @@ {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% for minionid, ip in salt.saltutil.runner( 'mine.get', - tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', + tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-searchnode or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', fun='network.ip_addrs', tgt_type='compound') | dictsort() %} diff --git a/pillar/top.sls b/pillar/top.sls index d383f963a..86de8709e 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -147,6 +147,8 @@ base: - logstash.soc_logstash - logstash.adv_logstash - elasticsearch.index_templates + - elasticsearch.soc_elasticsearch + - elasticsearch.adv_elasticsearch {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth {% endif %} diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 6ccbe6985..ce955e93f 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -1,18 +1,18 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} -{% from 'logstash/map.jinja' import REDIS_NODES with context %} +{% from 'logstash/map.jinja' import LOGSTASH_NODES with context %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% if grains.id.split('_') | last in ['manager','managersearch'] %} - {% if REDIS_NODES | length > 1 %} + {% if LOGSTASH_NODES | length > 1 %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} {% if HIGHLANDER %} {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} {% endif %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} - {% for SN in REDIS_NODES.keys() %} - {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %} + {% for NODE in LOGSTASH_NODES %} + {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} {% endif %} {% if grains.id.split('_') | last == 'manager' %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index e713e933a..857a3a558 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -15,7 +15,7 @@ include: {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %} -{% from 'logstash/map.jinja' import REDIS_NODES with context %} +{% from 'logstash/map.jinja' import LOGSTASH_NODES %} vm.max_map_count: sysctl.present: @@ -293,9 +293,9 @@ so-elasticsearch: - networks: - sosbridge: - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - - extra_hosts: {{ REDIS_NODES }} + - extra_hosts: {{ LOGSTASH_NODES }} - environment: - {% if REDIS_NODES | length == 1 %} + {% if LOGSTASH_NODES | length == 1 %} - discovery.type=single-node {% endif %} - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 035e36d86..5f0a7ea79 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,14 +1,20 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% set REDIS_NODES = [] %} -{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} - {% set node_data = salt['pillar.get']('logstash:nodes') %} - {% for node_type, node_details in node_data.items() | sort %} - {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} - {% for hostname in node_data[node_type].keys() %} - {% do REDIS_NODES.append({hostname:node_details[hostname].ip}) %} - {% endfor %} - {% endif %} - {% endfor %} -{% else %} - {% do REDIS_NODES.append({GLOBALS.hostname:GLOBALS.node_ip}) %} -{% endif %} +{% set LOGSTASH_NODES = [] %} +{% set node_data = salt['pillar.get']('logstash:nodes') %} + +{% for node_type, node_details in node_data.items() | sort %} +{% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} +{% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} +{% for hostname in node_data[node_type].keys() %} +{% do REDIS_NODES.append({hostname:node_details[hostname].ip}) %} +{% endfor %} +{% endif %} +{% else %} +{% do REDIS_NODES.append({GLOBALS.hostname:GLOBALS.node_ip}) %} +{% endif %} + +{% for hostname in node_data[node_type].keys() %} +{% do LOGSTASH_NODES.append({hostname:node_details[hostname].ip}) %} +{% endfor %} +{% endfor %} From 0ba193c7a4d8fe0f87f258a999f6eff88212dcf6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 10:55:14 -0500 Subject: [PATCH 019/470] allow docker_registry fw --- salt/firewall/assigned_hostgroups.map.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 3fd3fd1f3..8851e3051 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -78,6 +78,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.docker_registry }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} @@ -88,18 +89,21 @@ role: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} self: portgroups: - {{ portgroups.syslog}} @@ -158,6 +162,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} + - {{ portgroups.docker_registry }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -165,16 +170,19 @@ role: - {{ portgroups.elastic_agent_control }} - {{ portgroups.elastic_agent_data }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} + - {{ portgroups.docker_registry }} self: portgroups: - {{ portgroups.syslog}} From cbf2bd13735ee71fe34ae3b9c9f0b5780f9e5bb3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 31 Jan 2023 10:59:17 -0500 Subject: [PATCH 020/470] Remove OSQuery live query link --- salt/kibana/init.sls | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 4ac0af025..c4222b0a3 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -106,12 +106,6 @@ append_so-kibana_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-kibana -osquery_hunt_link: - cmd.script: - - source: salt://kibana/files/live_query_fixup.sh - - cwd: /root - - template: jinja - {% else %} {{sls}}_state_not_allowed: From aa411e2682db4af2c101d855197e1d4741d8a9cd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 12:42:46 -0500 Subject: [PATCH 021/470] allow influxdb on manager and managersearch --- salt/firewall/assigned_hostgroups.map.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 8851e3051..e31b7dbba 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -90,6 +90,7 @@ role: - {{ portgroups.elastic_agent_data }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} searchnodes: portgroups: - {{ portgroups.redis }} @@ -97,6 +98,7 @@ role: - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} heavynodes: portgroups: - {{ portgroups.redis }} @@ -104,6 +106,7 @@ role: - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} self: portgroups: - {{ portgroups.syslog}} @@ -171,18 +174,21 @@ role: - {{ portgroups.elastic_agent_data }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} searchnodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} heavynodes: portgroups: - {{ portgroups.redis }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} + - {{ portgroups.influxdb }} self: portgroups: - {{ portgroups.syslog}} From 74eed31eec6cc0955949aac9b6874f4f31d27f75 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 31 Jan 2023 12:55:03 -0500 Subject: [PATCH 022/470] Change Elasticsearch output name from 'so-manager_elasticsearch2' to 'so-manager_elasticsearch' --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index c945aeec3..217d69036 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -29,7 +29,7 @@ cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ --arg ESCACRT "$ESCACRT" \ - '{"name":"so-manager_elasticsearch2","id":"so-manager_elasticsearch2","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) + '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" printf "\n\n" From 16e1e297a057151162438be328c760f45f5a9bad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 13:32:33 -0500 Subject: [PATCH 023/470] allow elasticsearch_rest --- salt/firewall/assigned_hostgroups.map.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index e31b7dbba..f0c0a7223 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -94,6 +94,7 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} @@ -102,6 +103,7 @@ role: heavynodes: portgroups: - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} - {{ portgroups.yum }} @@ -178,6 +180,7 @@ role: searchnodes: portgroups: - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} @@ -185,6 +188,7 @@ role: heavynodes: portgroups: - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.yum }} - {{ portgroups.docker_registry }} From 6f1438148f84e9e403850f63a7efb4fb703ebfd4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 16:54:46 -0500 Subject: [PATCH 024/470] allow elastic agent access --- salt/firewall/assigned_hostgroups.map.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index f0c0a7223..2af5b2bc6 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -79,6 +79,8 @@ role: - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.docker_registry }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} {% if ISAIRGAP is sameas true %} - {{ portgroups.agrules }} {% endif %} @@ -100,6 +102,8 @@ role: - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} heavynodes: portgroups: - {{ portgroups.redis }} @@ -109,6 +113,8 @@ role: - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} self: portgroups: - {{ portgroups.syslog}} @@ -168,6 +174,8 @@ role: - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.docker_registry }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} sensors: portgroups: - {{ portgroups.beats_5044 }} @@ -185,6 +193,8 @@ role: - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} heavynodes: portgroups: - {{ portgroups.redis }} @@ -193,6 +203,8 @@ role: - {{ portgroups.yum }} - {{ portgroups.docker_registry }} - {{ portgroups.influxdb }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} self: portgroups: - {{ portgroups.syslog}} From 6ec086e24af0e460077e98bd1ccf3d9dc8391f09 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 31 Jan 2023 17:10:11 -0500 Subject: [PATCH 025/470] add influxdb as extra_hosts for grafana container --- salt/grafana/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index f0363c754..90bce30c6 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -128,6 +128,8 @@ so-grafana: - networks: - sosbridge: - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} + - extra_hosts: + - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}} - binds: - /nsm/grafana:/var/lib/grafana:rw - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro From d2dd68eb443ef02ba822091ef6b8649f92b38aa7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Feb 2023 11:31:36 -0500 Subject: [PATCH 026/470] add global vars for managersearch --- salt/vars/managersearch.map.jinja | 15 +++++++++++++++ salt/vars/searchnode.map.jinja | 4 ++-- 2 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 salt/vars/managersearch.map.jinja diff --git a/salt/vars/managersearch.map.jinja b/salt/vars/managersearch.map.jinja new file mode 100644 index 000000000..c2a3d9628 --- /dev/null +++ b/salt/vars/managersearch.map.jinja @@ -0,0 +1,15 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set MANAGERSEARCH_GLOBALS = + [ + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in MANAGERSEARCH_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/salt/vars/searchnode.map.jinja b/salt/vars/searchnode.map.jinja index 2efabefed..3b9d91bfc 100644 --- a/salt/vars/searchnode.map.jinja +++ b/salt/vars/searchnode.map.jinja @@ -3,13 +3,13 @@ {% set ROLE_GLOBALS = {} %} -{% set STANDALONE_GLOBALS = +{% set SEARCHNODE_GLOBALS = [ ELASTICSEARCH_GLOBALS, LOGSTASH_GLOBALS ] %} -{% for sg in STANDALONE_GLOBALS %} +{% for sg in SEARCHNODE_GLOBALS %} {% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} {% endfor %} From 2101ca60e925caed34fb4d735e6b6a815d91a8f9 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 1 Feb 2023 14:25:46 -0500 Subject: [PATCH 027/470] Add 'configured_vulns_ext_vars.yar' to exclusion list --- salt/strelka/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 8df73a212..792431dc6 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -16,3 +16,4 @@ strelka: - gen_sign_anomalies.yar - gen_susp_xor.yar - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar From d24205062778a171062468cfe8487805ccd6ef63 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 1 Feb 2023 15:59:35 -0500 Subject: [PATCH 028/470] Disable loading of Kibana and Logstash logs for now since there are issues with the packages from the registry --- .../so-elastic-fleet-integration-policy-load | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index e82011896..4e60bf9ad 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -87,16 +87,16 @@ curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POS echo # Logstash logs -echo -echo "Setting up Logstash package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "logstash", "version": "2.0.0" }, "id": "logstash-logs", "name": "logstash-logs", "description": "Logstash logs", "namespace": "default", "inputs": { "logstash-logfile": { "enabled": true, "streams": { "logstash.log": { "enabled": true, "vars": { "paths": [ "/opt/so/logs/logstash/logstash.log" ] } }, "logstash.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/logstash/logstash-slowlog-plain*.log", "/var/log/logstash/logstash-slowlog-json*.log" ] } } } }, "logstash-logstash/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9600" ], "period": "10s" }, "streams": { "logstash.stack_monitoring.node": { "enabled": false }, "logstash.stack_monitoring.node_stats": { "enabled": false } } } } }' -echo +#echo +#echo "Setting up Logstash package policy..." +#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "logstash", "version": "2.0.0" }, "id": "logstash-logs", "name": "logstash-logs", "description": "Logstash logs", "namespace": "default", "inputs": { "logstash-logfile": { "enabled": true, "streams": { "logstash.log": { "enabled": true, "vars": { "paths": [ "/opt/so/logs/logstash/logstash.log" ] } }, "logstash.slowlog": { "enabled": false, "vars": { "paths": [ "/var/log/logstash/logstash-slowlog-plain*.log", "/var/log/logstash/logstash-slowlog-json*.log" ] } } } }, "logstash-logstash/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:9600" ], "period": "10s" }, "streams": { "logstash.stack_monitoring.node": { "enabled": false }, "logstash.stack_monitoring.node_stats": { "enabled": false } } } } }' +#echo # Kibana logs -echo -echo "Setting up Kibana package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "kibana", "version": "2.0.0" }, "id": "kibana-logs", "name": "kibana-logs", "description": "Kibana logs", "namespace": "default", "inputs": { "kibana-logfile": { "enabled": true, "streams": { "kibana.audit": { "enabled": false, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } }, "kibana.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } } } }, "kibana-kibana/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:5601" ] }, "streams": { "kibana.stack_monitoring.cluster_actions": { "enabled": false }, "kibana.stack_monitoring.cluster_rules": { "enabled": false }, "kibana.stack_monitoring.node_actions": { "enabled": false }, "kibana.stack_monitoring.node_rules": { "enabled": false }, "kibana.stack_monitoring.stats": { "enabled": false }, "kibana.stack_monitoring.status": { "enabled": false } } } } }' -echo +#echo +#echo "Setting up Kibana package policy..." +#curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "kibana", "version": "2.0.0" }, "id": "kibana-logs", "name": "kibana-logs", "description": "Kibana logs", "namespace": "default", "inputs": { "kibana-logfile": { "enabled": true, "streams": { "kibana.audit": { "enabled": false, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } }, "kibana.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kibana/kibana.log" ] } } } }, "kibana-kibana/metrics": { "enabled": false, "vars": { "hosts": [ "http://localhost:5601" ] }, "streams": { "kibana.stack_monitoring.cluster_actions": { "enabled": false }, "kibana.stack_monitoring.cluster_rules": { "enabled": false }, "kibana.stack_monitoring.node_actions": { "enabled": false }, "kibana.stack_monitoring.node_rules": { "enabled": false }, "kibana.stack_monitoring.stats": { "enabled": false }, "kibana.stack_monitoring.status": { "enabled": false } } } } }' +#echo # Redis logs echo From 5fba3c58721fc9620d1bfba2392a5be47ba11486 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 2 Feb 2023 14:48:01 +0000 Subject: [PATCH 029/470] Add Suricata metadata configuration --- salt/suricata/suricata_config.map.jinja | 34 +++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/salt/suricata/suricata_config.map.jinja b/salt/suricata/suricata_config.map.jinja index 2a03f5fbb..fb4c22af3 100644 --- a/salt/suricata/suricata_config.map.jinja +++ b/salt/suricata/suricata_config.map.jinja @@ -1,6 +1,11 @@ {% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context %} +{% import_yaml 'suricata/suricata_meta.yaml' as suricata_meta with context %} {% set suricata_pillar = pillar.suricata %} {% set surimerge = salt['defaults.merge'](suricata_defaults, suricata_pillar, in_place=False) %} +{% set default_evelog_index = [] %} +{% set default_filestore_index = [] %} +{% set surimeta_evelog_index = [] %} +{% set surimeta_filestore_index = [] %} {% load_yaml as afpacket %} - interface: {{ surimerge.suricata.config['af-packet'].interface }} @@ -20,3 +25,32 @@ {% endfor %} {% endload %} {% do suricata_defaults.suricata.config.update({'outputs': outputs}) %} + +{# Find the index of eve-log so it can be updated later #} +{% for li in suricata_defaults.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do default_evelog_index.append(loop.index0) %} + {% endif %} + {% if 'file-store' in li.keys() %} + {% do default_filestore_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set default_evelog_index = default_evelog_index[0] %} +{% set default_filestore_index = default_filestore_index[0] %} + +{# Find the index of eve-log so it can be grabbed later #} +{% for li in suricata_meta.suricata.config.outputs %} + {% if 'eve-log' in li.keys() %} + {% do surimeta_evelog_index.append(loop.index0) %} + {% endif %} + {% if 'file-store' in li.keys() %} + {% do surimeta_filestore_index.append(loop.index0) %} + {% endif %} +{% endfor %} +{% set surimeta_evelog_index = surimeta_evelog_index[0] %} +{% set surimeta_filestore_index = surimeta_filestore_index[0] %} + +{% if salt['pillar.get']('global:mdengine', 'ZEEK') == 'SURICATA' %} + {% do suricata_defaults.suricata.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_meta.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %} + {% do suricata_defaults.suricata.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_meta.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %} +{% endif %} From 9eae31e48820326b2e5e02435ba6e7554b4e5969 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Feb 2023 10:03:22 -0500 Subject: [PATCH 030/470] add managersearch to allowed roles for so-firewall. fix setup error from so-firewall "Please specify a role with --role=" --- salt/common/tools/sbin/so-firewall | 2 +- setup/so-functions | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 2a8aed0e7..69808c709 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -43,7 +43,7 @@ APPLY=${APPLY,,} function rolecall() { THEROLE=$1 - THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager receivers searchnodes sensors standalone strelka_frontend syslog" + THEROLES="analyst analyst_workstations beats_endpoint beats_endpoint_ssl elastic_agent_endpoint elasticsearch_rest endgame eval heavynodes idh manager managersearch receivers searchnodes sensors standalone strelka_frontend syslog" for AROLE in $THEROLES; do if [ "$AROLE" = "$THEROLE" ]; then diff --git a/setup/so-functions b/setup/so-functions index a76126519..b70e73965 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1179,8 +1179,8 @@ firewall_generate_templates() { logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" - for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 + for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do + $default_salt_dir/salt/common/tools/sbin/so-firewall --role="$i" --ip=127.0.0.1 done } From bc082dff9995bc39efc21a5524bd71679a6ef7b3 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 2 Feb 2023 16:22:42 +0000 Subject: [PATCH 031/470] Only run Zeek if it is defined as 'mdengine' --- salt/common/tools/sbin/so-import-pcap | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index b099f39a4..d443e9f07 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -148,11 +148,12 @@ for PCAP in "$@"; do # generate IDS alerts and write them to standard pipeline echo "- analyzing traffic with Suricata" suricata "${PCAP}" $HASH - - # generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/ + {% if salt['pillar.get']('global:mdengine') == 'ZEEK' %} + # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/ # since each run writes to a unique subdirectory, there is no need for a lock file echo "- analyzing traffic with Zeek" zeek "${PCAP}" $HASH + {% endif %} START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') From 3e808a70fa9b048faf7f92979300c3918bee774e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Feb 2023 12:11:03 -0500 Subject: [PATCH 032/470] allow managersearch. comment out localhost allow in setup --- salt/firewall/assigned_hostgroups.map.yaml | 2 +- setup/so-functions | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 2af5b2bc6..25dbba1b0 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -164,7 +164,7 @@ role: chain: DOCKER-USER: hostgroups: - manager: + managersearch: portgroups: - {{ portgroups.playbook }} - {{ portgroups.mysql }} diff --git a/setup/so-functions b/setup/so-functions index b70e73965..2730adcc7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1179,9 +1179,10 @@ firewall_generate_templates() { logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" - for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do - $default_salt_dir/salt/common/tools/sbin/so-firewall --role="$i" --ip=127.0.0.1 - done + # i think this can be commented out for 2.4 + #for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do + # $default_salt_dir/salt/common/tools/sbin/so-firewall --role="$i" --ip=127.0.0.1 + #done } From df9ef9ffc73b0c23906d27f62a18b65081784b67 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Feb 2023 09:55:33 -0500 Subject: [PATCH 033/470] add managersearch --- salt/firewall/map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 1ec3271c4..2fa295447 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -22,6 +22,7 @@ 'heavynodes', 'idh', 'manager', + 'managersearch', 'receivers', 'searchnodes', 'sensors', From a37f0fd0c0e5ea8b7c50e752310477247ca37d4b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Feb 2023 10:07:07 -0500 Subject: [PATCH 034/470] rename sosbridge to sobridge --- salt/curator/init.sls | 2 +- salt/docker/init.sls | 6 ++--- salt/elastalert/init.sls | 2 +- salt/elastic-fleet-package-registry/init.sls | 2 +- salt/elastic-fleet/init.sls | 2 +- salt/elasticsearch/init.sls | 2 +- salt/filebeat/init.sls | 2 +- salt/firewall/iptables.jinja | 26 ++++++++++---------- salt/grafana/init.sls | 2 +- salt/idstools/init.sls | 2 +- salt/influxdb/init.sls | 2 +- salt/kibana/init.sls | 2 +- salt/kratos/init.sls | 2 +- salt/logstash/init.sls | 2 +- salt/mysql/init.sls | 2 +- salt/nginx/init.sls | 2 +- salt/playbook/init.sls | 2 +- salt/redis/init.sls | 2 +- salt/registry/init.sls | 2 +- salt/soc/init.sls | 2 +- salt/soctopus/init.sls | 2 +- salt/strelka/init.sls | 12 ++++----- 22 files changed, 41 insertions(+), 41 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 293475187..e62304bce 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -130,7 +130,7 @@ so-curator: - name: so-curator - user: curator - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-curator'].ip }} - interactive: True - tty: True diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 405a75938..687836aef 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -79,13 +79,13 @@ dockerreserveports: sos_docker_net: docker_network.present: - - name: sosbridge + - name: sobridge - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} - options: - com.docker.network.bridge.name: 'sosbridge' + com.docker.network.bridge.name: 'sobridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' com.docker.network.bridge.enable_icc: 'true' com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' - - unless: 'docker network ls | grep sosbridge' + - unless: 'docker network ls | grep sobridge' diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 1db789935..37d749223 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -88,7 +88,7 @@ so-elastalert: - name: so-elastalert - user: so-elastalert - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-elastalert'].ip }} - detach: True - binds: diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls index 2a72a417d..b4cea6542 100644 --- a/salt/elastic-fleet-package-registry/init.sls +++ b/salt/elastic-fleet-package-registry/init.sls @@ -29,7 +29,7 @@ so-elastic-fleet-package-registry: - detach: True - user: 948 - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet-package-registry'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 1460fda38..be9bac96e 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -49,7 +49,7 @@ so-elastic-fleet: - detach: True - user: 947 - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 857a3a558..43e8d9f72 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -291,7 +291,7 @@ so-elasticsearch: - name: so-elasticsearch - user: elasticsearch - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ LOGSTASH_NODES }} - environment: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 0bb1eaf34..988807f82 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -99,7 +99,7 @@ so-filebeat: - hostname: so-filebeat - user: root - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 77f6ef012..fe40b69a9 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -33,11 +33,11 @@ {%- endif %} {%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} {%- if bindip | length and bindip != '0.0.0.0' %} -{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} {%- else %} -{%- do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- do D1.append("-A DOCKER ! -i sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} {%- endif %} -{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} +{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sobridge -o sobridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} {%- endfor %} {%- endif %} {%- endfor %} @@ -50,11 +50,11 @@ :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE +-A POSTROUTING -s {{DOCKER.sosrange}} ! -o sobridge -j MASQUERADE {%- for rule in PR %} {{ rule }} {%- endfor %} --A DOCKER -i sosbridge -j RETURN +-A DOCKER -i sobridge -j RETURN {%- for rule in D1 %} {{ rule }} {%- endfor %} @@ -98,10 +98,10 @@ COMMIT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o sosbridge -j DOCKER --A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT --A FORWARD -i sosbridge -o sosbridge -j ACCEPT +-A FORWARD -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o sobridge -j DOCKER +-A FORWARD -i sobridge ! -o sobridge -j ACCEPT +-A FORWARD -i sobridge -o sobridge -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP @@ -113,12 +113,12 @@ COMMIT {{ rule }} {%- endfor %} --A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -i sobridge ! -o sobridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP +-A DOCKER-ISOLATION-STAGE-2 -o sobridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING +-A DOCKER-USER ! -i sobridge -o sobridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A DOCKER-USER ! -i sobridge -o sobridge -j LOGGING -A DOCKER-USER -j RETURN -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " -A LOGGING -j DROP diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 90bce30c6..1c5f30d5b 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -126,7 +126,7 @@ so-grafana: - hostname: grafana - user: socore - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - extra_hosts: - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 490cea3f7..78f6c2735 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -33,7 +33,7 @@ so-idstools: - hostname: so-idstools - user: socore - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 1758f17ae..4fe625209 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -49,7 +49,7 @@ so-influxdb: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index c4222b0a3..19682e105 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -83,7 +83,7 @@ so-kibana: - hostname: kibana - user: kibana - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index ef77951d9..c52ae15f8 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -69,7 +69,7 @@ so-kratos: - hostname: kratos - name: so-kratos - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 05b184239..1b4aeb334 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -140,7 +140,7 @@ so-logstash: - hostname: so-logstash - name: so-logstash - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index ebb9b09e7..b2c4a2119 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -85,7 +85,7 @@ so-mysql: - hostname: so-mysql - user: socore - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 6547732df..eac0e9ac8 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -85,7 +85,7 @@ so-nginx: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 237cc398b..799f46099 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -81,7 +81,7 @@ so-playbook: - hostname: playbook - name: so-playbook - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw diff --git a/salt/redis/init.sls b/salt/redis/init.sls index dce00bd8b..ebaad842b 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -47,7 +47,7 @@ so-redis: - hostname: so-redis - user: socore - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 321b1c3d2..428cfd81d 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -39,7 +39,7 @@ so-dockerregistry: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 3c1000dee..502b47136 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -97,7 +97,7 @@ so-soc: - hostname: soc - name: so-soc - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 5097ea112..fe9cb6d60 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -64,7 +64,7 @@ so-soctopus: - hostname: soctopus - name: so-soctopus - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 76fdce509..796533c2d 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -169,7 +169,7 @@ strelka_coordinator: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -187,7 +187,7 @@ strelka_gatekeeper: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -209,7 +209,7 @@ strelka_frontend: - privileged: True - name: so-strelka-frontend - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: @@ -230,7 +230,7 @@ strelka_backend: - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -247,7 +247,7 @@ strelka_manager: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager @@ -264,7 +264,7 @@ strelka_filestream: - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream - networks: - - sosbridge: + - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream From e0e094cd95f5e16f7c6278b863cefc4af81e808c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Feb 2023 10:10:51 -0500 Subject: [PATCH 035/470] rename sosbip and sosrange to sobip and sorange --- salt/docker/defaults.yaml | 4 ++-- salt/docker/docker.map.jinja | 2 +- salt/docker/init.sls | 4 ++-- salt/firewall/hostgroups.yaml | 2 +- salt/firewall/iptables.jinja | 2 +- salt/playbook/init.sls | 4 ++-- salt/soc/defaults.map.jinja | 2 +- setup/so-functions | 4 ++-- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e2ec07d32..7f3d40573 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -1,8 +1,8 @@ docker: bip: '172.17.0.1' range: '172.17.0.0/24' - sosrange: '172.17.1.0/24' - sosbip: '172.17.1.1' + sorange: '172.17.1.0/24' + sobip: '172.17.1.1' containers: 'so-dockerregistry': final_octet: 20 diff --git a/salt/docker/docker.map.jinja b/salt/docker/docker.map.jinja index 7046fc196..299977d6e 100644 --- a/salt/docker/docker.map.jinja +++ b/salt/docker/docker.map.jinja @@ -1,6 +1,6 @@ {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} -{% set RANGESPLIT = DOCKER.sosrange.split('.') %} +{% set RANGESPLIT = DOCKER.sorange.split('.') %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% for container, vals in DOCKER.containers.items() %} diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 687836aef..37208650e 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -80,8 +80,8 @@ dockerreserveports: sos_docker_net: docker_network.present: - name: sobridge - - subnet: {{ DOCKER.sosrange }} - - gateway: {{ DOCKER.sosbip }} + - subnet: {{ DOCKER.sorange }} + - gateway: {{ DOCKER.sobip }} - options: com.docker.network.bridge.name: 'sobridge' com.docker.network.driver.mtu: '1500' diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml index 105b98144..d669d96e4 100644 --- a/salt/firewall/hostgroups.yaml +++ b/salt/firewall/hostgroups.yaml @@ -10,7 +10,7 @@ firewall: ips: delete: insert: - - {{ DOCKER.sosrange }} + - {{ DOCKER.sorange }} localhost: ips: delete: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index fe40b69a9..ec2a5ae65 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -50,7 +50,7 @@ :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.sosrange}} ! -o sobridge -j MASQUERADE +-A POSTROUTING -s {{DOCKER.sorange}} ! -o sobridge -j MASQUERADE {%- for rule in PR %} {{ rule }} {%- endfor %} diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 799f46099..1b75935f1 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -18,7 +18,7 @@ create_playbookdbuser: mysql_user.present: - name: playbookdbuser - password: {{ PLAYBOOKPASS }} - - host: "{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0" + - host: "{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0" - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root @@ -27,7 +27,7 @@ create_playbookdbuser: query_playbookdbuser_grants: mysql_query.run: - database: playbook - - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sosrange.split('/')[0] }}/255.255.255.0';" + - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0';" - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 5f9e87b83..e26a8050f 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -19,7 +19,7 @@ {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% endif %} -{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sosrange, 'apiKey': pillar.sensoroni.sensoronikey}) %} +{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %} {% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.minion_id}) %} diff --git a/setup/so-functions b/setup/so-functions index 2730adcc7..580f4076e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1491,8 +1491,8 @@ docker_pillar() { touch $adv_docker_pillar_file printf '%s\n'\ "docker:"\ - " sosrange: '$DOCKERNET2/24'"\ - " sosbip: '$DOCKER2BIP'"\ + " sorange: '$DOCKERNET2/24'"\ + " sobip: '$DOCKER2BIP'"\ " range: '$DOCKERNET/24'"\ " bip: '$DOCKERBIP'" > $docker_pillar_file } From e8a1e164aa1b466fa1f624d2b818581f55882f05 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 3 Feb 2023 10:58:08 -0500 Subject: [PATCH 036/470] add so.version module --- salt/_modules/so.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index 037b7da00..86838af7f 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -5,6 +5,8 @@ import logging def status(): return __salt__['cmd.run']('/usr/sbin/so-status') +def version(): + return __salt__['cp.get_file_str']('/etc/soversion') def mysql_conn(retry): log = logging.getLogger(__name__) @@ -61,4 +63,4 @@ def mysql_conn(retry): for addr in ip_arr: log.debug(f' - {addr}') - return mysql_up \ No newline at end of file + return mysql_up From cd38ecb3005ab336ca8e44e72a00cc5d08539e83 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 6 Feb 2023 11:52:42 -0500 Subject: [PATCH 037/470] change whiptail selections from radiolist to menu where appropriate --- setup/so-functions | 6 +++- setup/so-whiptail | 80 +++++++++++++++++++++++----------------------- 2 files changed, 45 insertions(+), 41 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 580f4076e..e15c7a191 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1152,22 +1152,26 @@ filter_unused_nics() { readarray -t filtered_nics <<< "$filtered_nics" nic_list=() + nic_list_management=() for nic in "${filtered_nics[@]}"; do local nic_mac=$(cat "/sys/class/net/${nic}/address" 2>/dev/null) case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in 1) nic_list+=("$nic" "$nic_mac Link UP " "OFF") + nic_list_management+=("$nic" "$nic_mac Link UP " ) ;; 0) nic_list+=("$nic" "$nic_mac Link DOWN " "OFF") + nic_list_management+=("$nic" "$nic_mac Link DOWN " ) ;; *) nic_list+=("$nic" "$nic_mac Link UNKNOWN " "OFF") + nic_list_management+=("$nic" "$nic_mac Link UNKNOWN " ) ;; esac done - export nic_list + export nic_list nic_list_management } # Generate Firewall Templates diff --git a/setup/so-whiptail b/setup/so-whiptail index e5de2cf5b..715baa375 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -262,10 +262,10 @@ whiptail_dhcp_or_static() { [ -n "$TESTING" ] && return - address_type=$(whiptail --title "$whiptail_title" --radiolist \ + address_type=$(whiptail --title "$whiptail_title" --menu \ "Choose how to set up your management interface:" 20 78 4 \ - "STATIC" "Set a static IPv4 address" ON \ - "DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 ) + "STATIC" "Set a static IPv4 address" \ + "DHCP" "Use DHCP to configure the Management Interface" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -471,13 +471,13 @@ whiptail_install_type() { [ -n "$TESTING" ] && return # What kind of install are we doing? - install_type=$(whiptail --title "$whiptail_title" --radiolist \ + install_type=$(whiptail --title "$whiptail_title" --menu \ "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ - "IMPORT" "Import PCAP or log files " ON \ - "EVAL" "Evaluation mode (not for production) " OFF \ - "STANDALONE" "Standalone production install " OFF \ - "DISTRIBUTED" "Distributed install submenu " OFF \ - "OTHER" "Other install types" OFF \ + "IMPORT" "Import PCAP or log files " \ + "EVAL" "Evaluation mode (not for production) " \ + "STANDALONE" "Standalone production install " \ + "DISTRIBUTED" "Distributed install submenu " \ + "OTHER" "Other install types" \ 3>&1 1>&2 2>&3 ) @@ -503,8 +503,8 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ - "Existing Deployment " "Join to an existing Security Onion deployment " \ "New Deployment " "Create a new Security Onion deployment" \ + "Existing Deployment " "Join to an existing Security Onion deployment " \ 3>&1 1>&2 2>&3 ) local exitstatus=$? @@ -525,9 +525,9 @@ whiptail_install_type_dist_new() { Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations. EOM - install_type=$(whiptail --title "$whiptail_title" --radiolist "$mngr_msg" 15 75 2 \ - "MANAGER" "New grid, requires separate search node(s) " ON \ - "MANAGERSEARCH" "New grid, separate search node(s) are optional " OFF \ + install_type=$(whiptail --title "$whiptail_title" --menu "$mngr_msg" 20 75 2 \ + "MANAGER" "New grid, requires separate search node(s) " \ + "MANAGERSEARCH" "New grid, separate search node(s) are optional " \ 3>&1 1>&2 2>&3 ) @@ -545,18 +545,18 @@ whiptail_install_type_dist_existing() { Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users. EOM - install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \ - "SENSOR" "Create a forward only sensor " ON \ - "SEARCHNODE" "Add a search node with parsing " OFF \ - "FLEET" "Dedicated Fleet Osquery Node " OFF \ - "HEAVYNODE" "Sensor + Search Node " OFF \ - "IDH" "Intrusion Detection Honeypot Node " OFF \ - "RECEIVER" "Receiver Node " OFF \ + install_type=$(whiptail --title "$whiptail_title" --menu "$node_msg" 19 75 6 \ + "SENSOR" "Create a forward only sensor " \ + "SEARCHNODE" "Add a search node with parsing " \ + "FLEET" "Dedicated Fleet Osquery Node " \ + "HEAVYNODE" "Sensor + Search Node " \ + "IDH" "Intrusion Detection Honeypot Node " \ + "RECEIVER" "Receiver Node " \ 3>&1 1>&2 2>&3 - # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO - # "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO - # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO - # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO + # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" \ # TODO + # "WARMNODE" "Add Warm Node to existing Hot or Search node" \ # TODO + # "WAZUH" "Stand Alone Wazuh Server" \ # TODO + # "STRELKA" "Stand Alone Strelka Node" \ # TODO ) if [ "$install_type" = 'EVAL' ]; then is_eval=true @@ -597,10 +597,10 @@ whiptail_install_type_other() { [ -n "$TESTING" ] && return - install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose node type:" 9 65 2 \ - "ANALYST" "Setup will run 'so-setup analyst' " ON \ - "HELIXSENSOR" "Create a Helix sensor " OFF \ + install_type=$(whiptail --title "$whiptail_title" --menu \ + "Choose node type:" 10 65 2 \ + "ANALYST" "Setup will run 'so-setup analyst' " \ + "HELIXSENSOR" "Create a Helix sensor " \ 3>&1 1>&2 2>&3 ) @@ -788,13 +788,13 @@ whiptail_management_nic() { filter_unused_nics - MNIC=$(whiptail --title "$whiptail_title" --radiolist "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the space bar to select." 22 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + MNIC=$(whiptail --title "$whiptail_title" --menu "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the Enter key to select." 20 75 12 "${nic_list_management[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus while [ -z "$MNIC" ] do - MNIC=$(whiptail --title "$whiptail_title" --radiolist "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the space bar to select." 22 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + MNIC=$(whiptail --title "$whiptail_title" --menu "Please select the NIC you would like to use for management.\n\nUse the arrow keys to move around and the Enter key to select." 22 75 12 "${nic_list_management[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -878,10 +878,10 @@ whiptail_manager_adv() { [ -n "$TESTING" ] && return - MANAGERADV=$(whiptail --title "$whiptail_title" --radiolist \ + MANAGERADV=$(whiptail --title "$whiptail_title" --menu \ "Choose which type of manager to install:" 20 75 4 \ - "BASIC" "Install manager with recommended settings" ON \ - "ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 ) + "BASIC" "Install manager with recommended settings" \ + "ADVANCED" "Do additional configuration to the manager" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1121,10 +1121,10 @@ whiptail_sensor_config() { [ -n "$TESTING" ] && return - NSMSETUP=$(whiptail --title "$whiptail_title" --radiolist \ + NSMSETUP=$(whiptail --title "$whiptail_title" --menu \ "What type of configuration would you like to use?" 20 75 4 \ - "BASIC" "Install NSM components with recommended settings" ON \ - "ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 ) + "BASIC" "Install NSM components with recommended settings" \ + "ADVANCED" "Configure each component individually" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1189,11 +1189,11 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return local options=() - options+=( "IP" "Use IP address to access the web interface" ON ) - [[ $no_use_hostname != true ]] && options+=( "HOSTNAME" "Use hostname to access the web interface" OFF ) - options+=("OTHER" "Use a different name like a FQDN or Load Balancer" OFF) + options+=( "IP" "Use IP address to access the web interface" ) + [[ $no_use_hostname != true ]] && options+=( "HOSTNAME" "Use hostname to access the web interface" ) + options+=("OTHER" "Use a different name like a FQDN or Load Balancer" ) - REDIRECTINFO=$(whiptail --title "$whiptail_title" --radiolist \ + REDIRECTINFO=$(whiptail --title "$whiptail_title" --menu \ "How would you like to access the web interface?\n\nWhatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ "${options[@]}" \ 3>&1 1>&2 2>&3 From fb7ebcac7ef718f9bee6898ffdfcbaf7071fdc77 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 09:18:05 -0500 Subject: [PATCH 038/470] 2.4 fw changes --- salt/firewall/hostgroups/anywhere | 1 + salt/firewall/hostgroups/dockernet | 2 ++ salt/firewall/hostgroups/localhost | 1 + salt/firewall/hostgroups/self | 2 ++ salt/firewall/map.jinja | 32 ++++++++---------------------- 5 files changed, 14 insertions(+), 24 deletions(-) create mode 100644 salt/firewall/hostgroups/anywhere create mode 100644 salt/firewall/hostgroups/dockernet create mode 100644 salt/firewall/hostgroups/localhost create mode 100644 salt/firewall/hostgroups/self diff --git a/salt/firewall/hostgroups/anywhere b/salt/firewall/hostgroups/anywhere new file mode 100644 index 000000000..b04387011 --- /dev/null +++ b/salt/firewall/hostgroups/anywhere @@ -0,0 +1 @@ +0.0.0.0/0 diff --git a/salt/firewall/hostgroups/dockernet b/salt/firewall/hostgroups/dockernet new file mode 100644 index 000000000..ccbd6e89c --- /dev/null +++ b/salt/firewall/hostgroups/dockernet @@ -0,0 +1,2 @@ +{% from 'docker/docker.map.jinja' import DOCKER -%} +{{ DOCKER.sorange }} diff --git a/salt/firewall/hostgroups/localhost b/salt/firewall/hostgroups/localhost new file mode 100644 index 000000000..7b9ad531d --- /dev/null +++ b/salt/firewall/hostgroups/localhost @@ -0,0 +1 @@ +127.0.0.1 diff --git a/salt/firewall/hostgroups/self b/salt/firewall/hostgroups/self new file mode 100644 index 000000000..488f25de4 --- /dev/null +++ b/salt/firewall/hostgroups/self @@ -0,0 +1,2 @@ +{% from 'vars/globals.map.jinja' import GLOBALS -%} +{{ GLOBALS.node_ip }} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2fa295447..191155fbd 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -3,7 +3,7 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} -{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} +{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.ports %} {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} @@ -15,30 +15,14 @@ {% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} {#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} -{% set hostgroup_list = [ - 'analyst', - 'analyst_workstations', - 'eval', - 'heavynodes', - 'idh', - 'manager', - 'managersearch', - 'receivers', - 'searchnodes', - 'sensors', - 'standalone', - 'beats_endpoint', - 'beats_endpoint_ssl', - 'elasticsearch_rest', - 'elastic_agent_endpoint', - 'endgame', - 'strelka_frontend', - 'syslog' - ] -%} + +{% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} +{% do hostgroup_list.remove('firewall/hostgroups.local.yaml') %} +{% do hostgroup_list.remove('firewall/hostgroups.yaml') %} + {% for hg in hostgroup_list %} -{% import_text 'firewall/hostgroups/' ~ hg as hg_ips %} -{% do local_hostgroups.firewall.hostgroups.update({hg: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} +{% import_text hg as hg_ips %} +{% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} {% endfor %} {% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} From 31daeef30d2c3c46ed53368e8a883a5f7cd0c3ca Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 11:01:26 -0500 Subject: [PATCH 039/470] 2.4 fw changes --- files/firewall/hostgroups.local.yaml | 66 --- .../ports.local.yaml} | 0 salt/firewall/hostgroups.yaml | 23 - salt/firewall/map.jinja | 6 +- salt/firewall/portgroups/portgroups.yaml | 552 ------------------ 5 files changed, 1 insertion(+), 646 deletions(-) delete mode 100644 files/firewall/hostgroups.local.yaml rename files/firewall/{portgroups.local.yaml => ports/ports.local.yaml} (100%) delete mode 100644 salt/firewall/hostgroups.yaml delete mode 100644 salt/firewall/portgroups/portgroups.yaml diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml deleted file mode 100644 index c4ebc3613..000000000 --- a/files/firewall/hostgroups.local.yaml +++ /dev/null @@ -1,66 +0,0 @@ -firewall: - hostgroups: - analyst: - ips: - delete: - insert: - beats_endpoint: - ips: - delete: - insert: - beats_endpoint_ssl: - ips: - delete: - insert: - elasticsearch_rest: - ips: - delete: - insert: - elastic_agent_endpoint: - ips: - delete: - insert: - endgame: - ips: - delete: - insert: - fleet: - ips: - delete: - insert: - heavy_node: - ips: - delete: - insert: - idh: - ips: - delete: - insert: - manager: - ips: - delete: - insert: - node: - ips: - delete: - insert: - receiver: - ips: - delete: - insert: - search_node: - ips: - delete: - insert: - sensor: - ips: - delete: - insert: - strelka_frontend: - ips: - delete: - insert: - syslog: - ips: - delete: - insert: diff --git a/files/firewall/portgroups.local.yaml b/files/firewall/ports/ports.local.yaml similarity index 100% rename from files/firewall/portgroups.local.yaml rename to files/firewall/ports/ports.local.yaml diff --git a/salt/firewall/hostgroups.yaml b/salt/firewall/hostgroups.yaml deleted file mode 100644 index d669d96e4..000000000 --- a/salt/firewall/hostgroups.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{% from 'docker/docker.map.jinja' import DOCKER %} -firewall: - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - {{ DOCKER.sorange }} - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: - - {{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 191155fbd..ea2d1b4e8 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -12,20 +12,16 @@ {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} {% set defined_portgroups = portgroups %} -{% import_yaml 'firewall/hostgroups.yaml' as default_hostgroups %} -{#% import_yaml 'firewall/hostgroups.local.yaml' as local_hostgroups %#} {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} {% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} -{% do hostgroup_list.remove('firewall/hostgroups.local.yaml') %} -{% do hostgroup_list.remove('firewall/hostgroups.yaml') %} {% for hg in hostgroup_list %} {% import_text hg as hg_ips %} {% do local_hostgroups.firewall.hostgroups.update({hg.split('/')[2]: {'ips': {'insert': hg_ips.split(), 'delete': []}}}) %} {% endfor %} -{% set hostgroups = salt['defaults.merge'](default_hostgroups.firewall.hostgroups, local_hostgroups.firewall.hostgroups, in_place=False) %} +{% set hostgroups = local_hostgroups.firewall.hostgroups %} {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} diff --git a/salt/firewall/portgroups/portgroups.yaml b/salt/firewall/portgroups/portgroups.yaml deleted file mode 100644 index 331b5e3f2..000000000 --- a/salt/firewall/portgroups/portgroups.yaml +++ /dev/null @@ -1,552 +0,0 @@ -role: - eval: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - manager: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - - beats_5644 - self: - portgroups: - - syslog - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - endgame: - portgroups: - - endgame - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - managersearch: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - standalone: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - minio - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - - yum - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - minio - - elasticsearch_node - heavy_node: - portgroups: - - redis - - minio - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - elastic_agent_endpoint: - portgroups: - - elastic_agent_control - - elastic_agent_data - endgame: - portgroups: - - endgame - strelka_frontend: - portgroups: - - strelka_frontend - syslog: - portgroups: - - syslog - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - playbook - - mysql - - kibana - - redis - - influxdb - - cortex - - elasticsearch_rest - - elasticsearch_node - - cortex_es_rest - - cortex_es_node - minion: - portgroups: - - acng - - docker_registry - - influxdb - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - self: - portgroups: - - syslog}} - beats_endpoint: - portgroups: - - beats_5044 - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - searchnode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - search_node: - portgroups: - - elasticsearch_node - self: - portgroups: - - syslog - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - sensor: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - heavynode: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - elasticsearch_node - - elasticsearch_rest - dockernet: - portgroups: - - elasticsearch_node - - elasticsearch_rest - elasticsearch_rest: - portgroups: - - elasticsearch_rest - self: - portgroups: - - syslog - strelka_frontend: - portgroups: - - strelka_frontend - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - import: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - minion: - portgroups: - - docker_registry - - sensoroni - sensor: - portgroups: - - beats_5044 - - beats_5644 - search_node: - portgroups: - - redis - - elasticsearch_node - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - elasticsearch_rest: - portgroups: - - elasticsearch_rest - analyst: - portgroups: - - nginx - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - minion: - portgroups: - - salt_manager - - receiver: - chain: - DOCKER-USER: - hostgroups: - sensor: - portgroups: - - beats_5644 - search_node: - portgroups: - - redis - - beats_5644 - self: - portgroups: - - redis - - syslog - - beats_5644 - syslog: - portgroups: - - syslog - beats_endpoint: - portgroups: - - beats_5044 - beats_endpoint_ssl: - portgroups: - - beats_5644 - endgame: - portgroups: - - endgame - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - idh: - chain: - INPUT: - hostgroups: - anywhere: - portgroups: - - ssh - dockernet: - portgroups: - - all - localhost: - portgroups: - - all - manager: - portgroups: - - ssh \ No newline at end of file From 19f49dde75246ac120b275a970b85180b393d302 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 13:14:08 -0500 Subject: [PATCH 040/470] recusivly copy the firewall files for setup --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index e15c7a191..0dc4751bd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1181,7 +1181,7 @@ firewall_generate_templates() { local firewall_pillar_path=$local_salt_dir/salt/firewall logCmd "mkdir -p $firewall_pillar_path" - logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" + logCmd "cp -r ../files/firewall/* /opt/so/saltstack/local/salt/firewall/" # i think this can be commented out for 2.4 #for i in analyst beats_endpoint endgame sensors manager managersearch elastic_agent_endpoint searchnodes; do From 3d34a49e4427d9452dbe3284f491207cb43c6699 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 13:21:48 -0500 Subject: [PATCH 041/470] change to new local ports file --- files/firewall/assigned_hostgroups.local.map.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index 9a758161c..07f389af0 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -1,6 +1,6 @@ {% import_yaml 'firewall/ports/ports.yaml' as default_portgroups %} {% set default_portgroups = default_portgroups.firewall.ports %} -{% import_yaml 'firewall/portgroups.local.yaml' as local_portgroups %} +{% import_yaml 'firewall/ports/ports.local.yaml' as local_portgroups %} {% if local_portgroups.firewall.ports %} {% set local_portgroups = local_portgroups.firewall.ports %} {% else %} From ea0c3db8e1753fcab997c3909e7b763094f42d57 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 13:23:45 -0500 Subject: [PATCH 042/470] upgrade influxdb --- pillar/data/addtotab.sh | 2 - salt/allowed_states.map.jinja | 4 - .../sbin/so-grafana-dashboard-folder-delete | 20 - salt/common/tools/sbin/so-grafana-restart | 12 - salt/common/tools/sbin/so-grafana-start | 12 - salt/common/tools/sbin/so-grafana-stop | 12 - salt/common/tools/sbin/so-image-common | 1 - salt/docker/defaults.yaml | 4 - salt/firewall/containers.map.jinja | 1 - .../dashboards/common_template.json.jinja | 64 - salt/grafana/etc/dashboards/dashboard.yml | 12 - salt/grafana/etc/datasources/influxdb.yaml | 17 - salt/grafana/etc/files/readme.txt | 1 - salt/grafana/etc/grafana.ini.jinja | 12 - salt/grafana/grafana_defaults.yaml | 3147 ----------------- salt/grafana/init.sls | 164 - ...u_docker_combined_current_graph.json.jinja | 223 -- ...cpu_docker_combined_trend_graph.json.jinja | 220 -- .../panels/cpu_usage_current_graph.json.jinja | 150 - .../grafana/panels/cpu_usage_guage.json.jinja | 126 - .../cpu_usage_tasks_all_graph.json.jinja | 193 - .../cpu_usage_tasks_blocked_graph.json.jinja | 124 - .../cpu_usage_tasks_paging_graph.json.jinja | 124 - .../cpu_usage_tasks_running_graph.json.jinja | 124 - .../cpu_usage_tasks_sleeping_graph.json.jinja | 124 - .../cpu_usage_tasks_stopped_graph.json.jinja | 124 - .../cpu_usage_tasks_unknown_graph.json.jinja | 124 - .../cpu_usage_tasks_zombies_graph.json.jinja | 124 - .../panels/disk_io_bytes_graph.json.jinja | 189 - .../panels/disk_io_requests_graph.json.jinja | 190 - .../panels/disk_io_time_graph.json.jinja | 189 - .../panels/disk_usage_nsm_graph.json.jinja | 211 -- .../disk_usage_nsm_percent_graph.json.jinja | 149 - .../panels/disk_usage_root_graph.json.jinja | 211 -- .../disk_usage_root_percent_graph.json.jinja | 149 - ...sticsearch_document_count_graph.json.jinja | 193 - ...rch_field_data_cache_size_graph.json.jinja | 191 - ..._ingest_performance_nontc_graph.json.jinja | 796 ----- ...rch_ingest_performance_tc_graph.json.jinja | 793 ----- ...earch_pipeline_time_nontc_graph.json.jinja | 153 - ...icsearch_pipeline_time_tc_graph.json.jinja | 129 - .../elasticsearch_store_size_graph.json.jinja | 195 - ...lasticsearch_thread_count_graph.json.jinja | 192 - .../panels/influxdb_db_size_graph.json.jinja | 191 - salt/grafana/panels/io_wait_graph.json.jinja | 148 - salt/grafana/panels/io_wait_stat.json.jinja | 125 - .../load_average_5_minute_stat.json.jinja | 118 - .../panels/load_averages_graph.json.jinja | 187 - ...gstash_eps_in_out_manager_graph.json.jinja | 403 --- ...logstash_estimated_eps_in_graph.json.jinja | 230 -- .../logstash_estimated_eps_in_stat.json.jinja | 136 - ...sh_estimated_eps_in_total_graph.json.jinja | 156 - ...ogstash_estimated_eps_out_graph.json.jinja | 230 -- ...logstash_estimated_eps_out_stat.json.jinja | 136 - ...h_estimated_eps_out_total_graph.json.jinja | 156 - ...ing_eps_in_out_searchnode_graph.json.jinja | 411 --- ...g_eps_in_searchnode_total_graph.json.jinja | 170 - ...anagement_interface_drops_graph.json.jinja | 282 -- ...t_interface_drops_inbound_graph.json.jinja | 142 - ..._interface_drops_outbound_graph.json.jinja | 142 - ...agement_interface_packets_graph.json.jinja | 283 -- ...nt_interface_traffic_both_graph.json.jinja | 409 --- ...interface_traffic_inbound_graph.json.jinja | 164 - ...nterface_traffic_outbound_graph.json.jinja | 162 - .../panels/memory_usage_graph.json.jinja | 208 -- .../memory_usage_percent_graph.json.jinja | 139 - ...d_docker_combined_current_graph.json.jinja | 143 - ...sed_docker_combined_trend_graph.json.jinja | 143 - .../monitor_interface_drops_graph.json.jinja | 282 -- ...r_interface_drops_inbound_graph.json.jinja | 125 - ...monitor_interface_packets_graph.json.jinja | 282 -- ...or_interface_traffic_both_graph.json.jinja | 276 -- ...interface_traffic_inbound_graph.json.jinja | 167 - ...ace_traffic_inbound_total_graph.json.jinja | 178 - .../monitor_interface_traffic_stat.json.jinja | 152 - ...e_docker_combined_current_graph.json.jinja | 232 -- ...age_docker_combined_trend_graph.json.jinja | 231 -- salt/grafana/panels/nsm_used_guage.json.jinja | 121 - .../panels/pcap_retention_stat.json.jinja | 113 - .../panels/process_status_graph.json.jinja | 203 -- .../grafana/panels/ram_usage_guage.json.jinja | 114 - .../panels/redis_queue_graph.json.jinja | 208 -- .../panels/redis_queue_stat.json.jinja | 95 - .../panels/rootfs_used_guage.json.jinja | 121 - salt/grafana/panels/row_cpu.json.jinja | 15 - salt/grafana/panels/row_disk_iops.json.jinja | 22 - salt/grafana/panels/row_disk_usage.json.jinja | 15 - .../panels/row_docker_details.json.jinja | 15 - .../panels/row_elasticsearch.json.jinja | 15 - salt/grafana/panels/row_influxdb.json.jinja | 15 - salt/grafana/panels/row_logstash.json.jinja | 15 - salt/grafana/panels/row_memory.json.jinja | 15 - salt/grafana/panels/row_network.json.jinja | 15 - salt/grafana/panels/row_overview.json.jinja | 15 - .../grafana/panels/row_packet_loss.json.jinja | 15 - salt/grafana/panels/row_redis.json.jinja | 15 - .../panels/row_stenographer.json.jinja | 15 - salt/grafana/panels/row_suricata.json.jinja | 15 - salt/grafana/panels/row_swap.json.jinja | 15 - salt/grafana/panels/row_zeek.json.jinja | 15 - .../stenographer_packet_loss_graph.json.jinja | 229 -- .../stenographer_packet_loss_stat.json.jinja | 114 - ...enographer_pcap_retention_graph.json.jinja | 207 -- .../suricata_packet_loss_graph.json.jinja | 241 -- .../suricata_packet_loss_stat.json.jinja | 120 - .../panels/swap_io_bytes_graph.json.jinja | 187 - .../panels/swap_usage_bytes_graph.json.jinja | 184 - .../panels/swap_usage_guage.json.jinja | 115 - .../swap_usage_percent_graph.json.jinja | 141 - salt/grafana/panels/system_uptime.json.jinja | 91 - .../panels/system_uptime_graph.json.jinja | 148 - ...e_docker_combined_current_graph.json.jinja | 168 - ...ime_docker_combined_trend_graph.json.jinja | 165 - .../panels/zeek_capture_loss_graph.json.jinja | 203 -- .../panels/zeek_packet_loss_graph.json.jinja | 244 -- .../panels/zeek_packet_loss_stat.json.jinja | 120 - .../zeek_restarts_healthcheck_stat.json.jinja | 93 - salt/grafana/soc_grafana.yaml | 49 - salt/grafana/templates/cluster_name.json | 25 - salt/grafana/templates/containers.json | 29 - salt/grafana/templates/cpucount.json | 24 - salt/grafana/templates/disk.json | 39 - salt/grafana/templates/manint.json | 29 - salt/grafana/templates/monint.json | 29 - salt/grafana/templates/role.json | 29 - salt/grafana/templates/searchnode.json | 25 - salt/grafana/templates/servername.json | 34 - salt/influxdb/config.yaml.jinja | 4 + salt/influxdb/defaults.yaml | 219 +- salt/influxdb/etc/influxdb.conf.jinja | 26 - salt/influxdb/init.sls | 100 +- salt/influxdb/map.jinja | 9 - salt/influxdb/soc_influxdb.yaml | 668 ++-- salt/nginx/etc/nginx.conf | 11 +- salt/soc/defaults.yaml | 8 +- salt/soc/merged.map.jinja | 5 - salt/telegraf/init.sls | 2 +- salt/top.sls | 4 - setup/automation/distributed-airgap-manager | 1 - setup/automation/distributed-airgap-search | 1 - setup/automation/distributed-airgap-sensor | 1 - setup/automation/distributed-cloud-manager | 1 - setup/automation/distributed-cloud-search | 1 - setup/automation/distributed-cloud-sensor | 1 - setup/automation/distributed-iso-manager | 1 - setup/automation/distributed-iso-search | 1 - setup/automation/distributed-iso-sensor | 1 - .../automation/distributed-net-centos-manager | 1 - .../automation/distributed-net-centos-search | 1 - .../automation/distributed-net-centos-sensor | 1 - .../automation/distributed-net-ubuntu-manager | 1 - .../automation/distributed-net-ubuntu-search | 1 - .../automation/distributed-net-ubuntu-sensor | 1 - .../distributed-net-ubuntu-suricata-manager | 1 - .../distributed-net-ubuntu-suricata-search | 1 - .../distributed-net-ubuntu-suricata-sensor | 1 - setup/automation/eval-airgap | 1 - setup/automation/eval-cloud | 1 - setup/automation/eval-iso | 1 - setup/automation/eval-net-centos | 1 - setup/automation/eval-net-ubuntu | 1 - setup/automation/import-airgap | 1 - setup/automation/import-cloud | 1 - setup/automation/import-iso | 1 - setup/automation/import-net-centos | 1 - setup/automation/import-net-ubuntu | 1 - setup/automation/standalone-airgap | 1 - setup/automation/standalone-cloud | 1 - setup/automation/standalone-iso | 1 - setup/automation/standalone-iso-logscan | 1 - setup/automation/standalone-iso-suricata | 1 - setup/automation/standalone-net-centos | 1 - setup/automation/standalone-net-centos-proxy | 1 - setup/automation/standalone-net-ubuntu | 1 - setup/so-functions | 9 +- 175 files changed, 431 insertions(+), 21108 deletions(-) delete mode 100755 salt/common/tools/sbin/so-grafana-dashboard-folder-delete delete mode 100755 salt/common/tools/sbin/so-grafana-restart delete mode 100755 salt/common/tools/sbin/so-grafana-start delete mode 100755 salt/common/tools/sbin/so-grafana-stop delete mode 100644 salt/grafana/dashboards/common_template.json.jinja delete mode 100644 salt/grafana/etc/dashboards/dashboard.yml delete mode 100644 salt/grafana/etc/datasources/influxdb.yaml delete mode 100644 salt/grafana/etc/files/readme.txt delete mode 100644 salt/grafana/etc/grafana.ini.jinja delete mode 100644 salt/grafana/grafana_defaults.yaml delete mode 100644 salt/grafana/init.sls delete mode 100644 salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_current_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_requests_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_time_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_nsm_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_root_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_root_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_document_count_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_store_size_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja delete mode 100644 salt/grafana/panels/influxdb_db_size_graph.json.jinja delete mode 100644 salt/grafana/panels/io_wait_graph.json.jinja delete mode 100644 salt/grafana/panels/io_wait_stat.json.jinja delete mode 100644 salt/grafana/panels/load_average_5_minute_stat.json.jinja delete mode 100644 salt/grafana/panels/load_averages_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_packets_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_both_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_usage_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_usage_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_drops_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_packets_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_stat.json.jinja delete mode 100644 salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/nsm_used_guage.json.jinja delete mode 100644 salt/grafana/panels/pcap_retention_stat.json.jinja delete mode 100644 salt/grafana/panels/process_status_graph.json.jinja delete mode 100644 salt/grafana/panels/ram_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/redis_queue_graph.json.jinja delete mode 100644 salt/grafana/panels/redis_queue_stat.json.jinja delete mode 100644 salt/grafana/panels/rootfs_used_guage.json.jinja delete mode 100644 salt/grafana/panels/row_cpu.json.jinja delete mode 100644 salt/grafana/panels/row_disk_iops.json.jinja delete mode 100644 salt/grafana/panels/row_disk_usage.json.jinja delete mode 100644 salt/grafana/panels/row_docker_details.json.jinja delete mode 100644 salt/grafana/panels/row_elasticsearch.json.jinja delete mode 100644 salt/grafana/panels/row_influxdb.json.jinja delete mode 100644 salt/grafana/panels/row_logstash.json.jinja delete mode 100644 salt/grafana/panels/row_memory.json.jinja delete mode 100644 salt/grafana/panels/row_network.json.jinja delete mode 100644 salt/grafana/panels/row_overview.json.jinja delete mode 100644 salt/grafana/panels/row_packet_loss.json.jinja delete mode 100644 salt/grafana/panels/row_redis.json.jinja delete mode 100644 salt/grafana/panels/row_stenographer.json.jinja delete mode 100644 salt/grafana/panels/row_suricata.json.jinja delete mode 100644 salt/grafana/panels/row_swap.json.jinja delete mode 100644 salt/grafana/panels/row_zeek.json.jinja delete mode 100644 salt/grafana/panels/stenographer_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/stenographer_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja delete mode 100644 salt/grafana/panels/suricata_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/suricata_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/swap_io_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/system_uptime.json.jinja delete mode 100644 salt/grafana/panels/system_uptime_graph.json.jinja delete mode 100644 salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_capture_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja delete mode 100644 salt/grafana/soc_grafana.yaml delete mode 100644 salt/grafana/templates/cluster_name.json delete mode 100644 salt/grafana/templates/containers.json delete mode 100644 salt/grafana/templates/cpucount.json delete mode 100644 salt/grafana/templates/disk.json delete mode 100644 salt/grafana/templates/manint.json delete mode 100644 salt/grafana/templates/monint.json delete mode 100644 salt/grafana/templates/role.json delete mode 100644 salt/grafana/templates/searchnode.json delete mode 100644 salt/grafana/templates/servername.json create mode 100644 salt/influxdb/config.yaml.jinja delete mode 100644 salt/influxdb/etc/influxdb.conf.jinja delete mode 100644 salt/influxdb/map.jinja diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 271558295..65f9446dd 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -45,12 +45,10 @@ echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls if [ $TYPE == 'sensorstab' ]; then echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls - salt-call state.apply grafana queue=True fi if [ $TYPE == 'evaltab' ] || [ $TYPE == 'standalonetab' ]; then echo " monint: bond0" >> $local_salt_dir/pillar/data/$TYPE.sls if [ ! $10 ]; then - salt-call state.apply grafana queue=True salt-call state.apply utility queue=True fi fi diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 823b7b647..42ec3604a 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -33,7 +33,6 @@ 'nginx', 'telegraf', 'influxdb', - 'grafana', 'soc', 'kratos', 'elastic-fleet', @@ -119,7 +118,6 @@ 'nginx', 'telegraf', 'influxdb', - 'grafana', 'soc', 'kratos', 'elastic-fleet', @@ -139,7 +137,6 @@ 'nginx', 'telegraf', 'influxdb', - 'grafana', 'soc', 'kratos', 'elastic-fleet', @@ -169,7 +166,6 @@ 'nginx', 'telegraf', 'influxdb', - 'grafana', 'soc', 'kratos', 'elastic-fleet', diff --git a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete b/salt/common/tools/sbin/so-grafana-dashboard-folder-delete deleted file mode 100755 index 0783fccea..000000000 --- a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete +++ /dev/null @@ -1,20 +0,0 @@ -# this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70 - -# Exit if an error occurs. The next highstate will retry. -set -e - -folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64') -delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode") - -for row in $folders; do - title=$(echo ${row} | base64 --decode | jq -r '.title') - uid=$(echo ${row} | base64 --decode | jq -r '.uid') - - if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then - curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid - fi -done - -echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete - -exit 0 diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart deleted file mode 100755 index f8fbcb9c1..000000000 --- a/salt/common/tools/sbin/so-grafana-restart +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-restart grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start deleted file mode 100755 index dfea3b8dc..000000000 --- a/salt/common/tools/sbin/so-grafana-start +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-start grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop deleted file mode 100755 index 62552f17f..000000000 --- a/salt/common/tools/sbin/so-grafana-stop +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-stop grafana $1 diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 945d3f4ed..24772a479 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -48,7 +48,6 @@ container_list() { "so-elastic-agent-builder" "so-elasticsearch" "so-filebeat" - "so-grafana" "so-idh" "so-idstools" "so-influxdb" diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 7f3d40573..6886703db 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -23,10 +23,6 @@ docker: - 0.0.0.0:514:514/udp - 0.0.0.0:514:514/tcp - 0.0.0.0:5066:5066/tcp - 'so-grafana': - final_octet: 24 - port_bindings: - - 0.0.0.0:3000:3000 'so-idstools': final_octet: 25 'so-influxdb': diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 2ca294abc..702f2ff63 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -5,7 +5,6 @@ 'so-elastic-fleet', 'so-elastic-fleet-package-registry', 'so-filebeat', - 'so-grafana', 'so-influxdb', 'so-kibana', 'so-kratos', diff --git a/salt/grafana/dashboards/common_template.json.jinja b/salt/grafana/dashboards/common_template.json.jinja deleted file mode 100644 index 4c6745c3c..000000000 --- a/salt/grafana/dashboards/common_template.json.jinja +++ /dev/null @@ -1,64 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "{{TITLE}}", - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "id": {{ ID }}, - "iteration": 1625757047565, - "links": [], - "panels": [ -{% for panel in PANELS -%} -{%- import_json "grafana/panels/" ~ panel ~ ".json.jinja" as panel %} -{{ panel | json }} {% if not loop.last %},{% endif %} -{% endfor -%} - ], - "refresh": "5m", - "schemaVersion": 27, - "style": "dark", - "tags": [], - "templating": { - "list": [ -{% for template in TEMPLATES.keys() -%} -{%- import_json "grafana/templates/" ~ template ~ ".json" as template %} -{{ template | json }} {% if not loop.last %},{% endif %} -{% endfor -%} - ] - }, - "time": { - "from": "now-3h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ] - }, - "timezone": "browser", - "title": "{{ TITLE }}", - {% if TITLE | lower == 'security onion grid overview' %} - "uid": "so_overview", - {% else %} - "uid": "{{ UID }}", - {% endif %} - "version": 1 -} diff --git a/salt/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml deleted file mode 100644 index 2c422069c..000000000 --- a/salt/grafana/etc/dashboards/dashboard.yml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: 1 - -providers: -- name: 'Dashboards' - folder: 'Dashboards' - type: file - disableDeletion: false - editable: true - allowUiUpdates: true - options: - path: /etc/grafana/grafana_dashboards/ - diff --git a/salt/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml deleted file mode 100644 index 1c4fd8135..000000000 --- a/salt/grafana/etc/datasources/influxdb.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: 1 - -deleteDatasources: - - name: Graphite - orgId: 1 - -datasources: - - name: InfluxDB - type: influxdb - access: proxy - database: telegraf - url: https://{{ GLOBALS.influxdb_host }}:8086 - jsonData: - tlsAuth: false - tlsAuthWithCACert: false - tlsSkipVerify: true - version: 1 diff --git a/salt/grafana/etc/files/readme.txt b/salt/grafana/etc/files/readme.txt deleted file mode 100644 index c78e8687c..000000000 --- a/salt/grafana/etc/files/readme.txt +++ /dev/null @@ -1 +0,0 @@ -For files that are referenced inside the Grafana config, place them in /opt/so/saltstack/local/salt/grafana/etc/files/. This would include keys used for smtp or a Grafana enterprise license file. \ No newline at end of file diff --git a/salt/grafana/etc/grafana.ini.jinja b/salt/grafana/etc/grafana.ini.jinja deleted file mode 100644 index f2309056d..000000000 --- a/salt/grafana/etc/grafana.ini.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{%- macro write_config_line(cfg) %} -{%- for k,v in cfg.items() -%} -{{ k }} = {{ v }} -{% endfor %} -{%- endmacro %} - -{{ write_config_line(config.get("default", {})) }} -{% for header, cfg in config.items() %} -{%- if header == "default" %}{% continue %}{% endif %} -[{{ header }}] -{{ write_config_line(cfg) }} -{% endfor %} \ No newline at end of file diff --git a/salt/grafana/grafana_defaults.yaml b/salt/grafana/grafana_defaults.yaml deleted file mode 100644 index b05775886..000000000 --- a/salt/grafana/grafana_defaults.yaml +++ /dev/null @@ -1,3147 +0,0 @@ -grafana: - config: - server: - root_url: "%(protocol)s://%(domain)s/grafana/" - auth.anonymous: - enabled: true - org_name: Main Org. - org_role: Viewer - smtp: - enabled: false - host: localhost:25 - user: myuser - password: mypassword - cert_file: /etc/grafana/config/files/smtp_cert_file.crt - key_file: /etc/grafana/config/files/smtp_key_file.key - skip_verify: false - from_address: admin@grafana.localhost - from_name: Grafana - ehlo_identity: dashboard.example.com - auth.ldap: - enabled: false - config_file: /etc/grafana/config/files/ldap.toml - allow_sign_up: true - enterprise: - license_path: /opt/so/conf/grafana/etc/files/license.jwt - dashboards: - overview: - title: 'Security Onion Grid Overview' - templating: - list: - servername: - text: All - value: "$__all" - role: - allValue: true - multi: true - hide: 0 - text: All - value: "$__all" - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime_graph: - gridPos: - x: 0 - y: 1 - h: 8 - w: 12 - uptime_docker_combined_current_graph: - gridPos: - x: 12 - y: 1 - h: 8 - w: 12 - cpu_usage_current_graph: - gridPos: - x: 0 - y: 9 - h: 8 - w: 24 - memory_usage_percent_graph: - gridPos: - x: 0 - y: 17 - h: 8 - w: 24 - disk_usage_root_percent_graph: - gridPos: - x: 0 - y: 25 - h: 8 - w: 24 - disk_usage_nsm_percent_graph: - gridPos: - x: 0 - y: 33 - h: 8 - w: 24 - swap_usage_percent_graph: - gridPos: - x: 0 - y: 41 - h: 8 - w: 24 - io_wait_graph: - gridPos: - x: 0 - y: 49 - h: 8 - w: 24 - - row_network: - gridPos: - x: 0 - y: 57 - h: 1 - w: 24 - management_interface_traffic_inbound_graph: - gridPos: - x: 0 - y: 58 - h: 8 - w: 24 - management_interface_traffic_outbound_graph: - gridPos: - x: 0 - y: 64 - h: 8 - w: 24 - management_interface_drops_inbound_graph: - gridPos: - x: 0 - y: 72 - h: 8 - w: 24 - management_interface_drops_outbound_graph: - gridPos: - x: 0 - y: 80 - h: 8 - w: 24 - monitor_interface_traffic_inbound_graph: - gridPos: - x: 0 - y: 88 - h: 8 - w: 24 - monitor_interface_drops_inbound_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - - row_packet_loss: - gridPos: - x: 0 - y: 104 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 105 - h: 8 - w: 24 - hideTrend: true - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 113 - h: 8 - w: 24 - hideTrend: true - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 121 - h: 8 - w: 24 - hideTrend: true - - row_cpu: - gridPos: - x: 0 - y: 999 - h: 1 - w: 24 - cpu_usage_tasks_running_graph: - gridPos: - x: 0 - y: 1000 - h: 8 - w: 24 - cpu_usage_tasks_zombies_graph: - gridPos: - x: 0 - y: 1008 - h: 8 - w: 12 - cpu_usage_tasks_stopped_graph: - gridPos: - x: 12 - y: 1008 - h: 8 - w: 12 - cpu_usage_tasks_sleeping_graph: - gridPos: - x: 0 - y: 1016 - h: 8 - w: 12 - cpu_usage_tasks_blocked_graph: - gridPos: - x: 12 - y: 1016 - h: 8 - w: 12 - cpu_usage_tasks_paging_graph: - gridPos: - x: 0 - y: 1024 - h: 8 - w: 12 - cpu_usage_tasks_unknown_graph: - gridPos: - x: 12 - y: 1024 - h: 8 - w: 12 - - - standalone: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 187 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 188 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 188 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 196 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 197 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 205 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 206 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 206 - h: 8 - w: 8 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - manager: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_elasticsearch: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 153 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 161 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 169 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 24 - - row_influxdb: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - - managersearch: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - sensor: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_traffic_inbound_total_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 77 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 77 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 85 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 86 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 86 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 94 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 95 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 95 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 95 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 103 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 152 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 152 - h: 8 - w: 12 - - row_zeek: - gridPos: - x: 0 - y: 160 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 161 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 169 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 179 - h: 8 - w: 8 - - - searchnode: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - logstash_estimated_eps_out_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - logstash_estimated_eps_in_total_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 24 - logstash_estimated_eps_out_graph: - gridPos: - x: 0 - y: 169 - h: 8 - w: 24 - logstash_estimated_eps_out_total_graph: - gridPos: - x: 0 - y: 172 - h: 8 - w: 24 - - - heavynode: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 170 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 171 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 171 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 179 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 180 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 188 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 189 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 189 - h: 8 - w: 8 - - - eval: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 187 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 188 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 188 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 196 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 197 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 205 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 206 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 206 - h: 8 - w: 8 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - receiver: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - logstash_estimated_eps_out_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - logstash_estimated_eps_in_total_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 24 - logstash_estimated_eps_out_graph: - gridPos: - x: 0 - y: 169 - h: 8 - w: 24 - logstash_estimated_eps_out_total_graph: - gridPos: - x: 0 - y: 172 - h: 8 - w: 24 - - row_redis: - gridPos: - x: 0 - y: 180 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 181 - h: 8 - w: 24 - - - pipeline_overview_nontc: - title: 'Pipeline Overview' - templating: - list: - searchnode: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - panels: - redis_queue_graph: - gridPos: - x: 0 - y: 0 - h: 8 - w: 8 - logstash_eps_in_out_manager_graph: - gridPos: - x: 8 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_searchnode_total_graph: - gridPos: - x: 16 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_out_searchnode_graph: - gridPos: - x: 0 - y: 8 - h: 8 - w: 24 - elasticsearch_ingest_performance_nontc_graph: - gridPos: - x: 0 - y: 16 - h: 8 - w: 24 - elasticsearch_pipeline_time_nontc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 - - - pipeline_overview_tc: - title: 'Pipeline Overview' - templating: - list: - searchnode: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - cluster_name: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - panels: - redis_queue_graph: - gridPos: - x: 0 - y: 0 - h: 8 - w: 8 - logstash_eps_in_out_manager_graph: - gridPos: - x: 8 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_searchnode_total_graph: - gridPos: - x: 16 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_out_searchnode_graph: - gridPos: - x: 0 - y: 8 - h: 8 - w: 24 - elasticsearch_ingest_performance_tc_graph: - gridPos: - x: 0 - y: 16 - h: 8 - w: 24 - elasticsearch_pipeline_time_tc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls deleted file mode 100644 index 1c5f30d5b..000000000 --- a/salt/grafana/init.sls +++ /dev/null @@ -1,164 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} - -{% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %} -{% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} - -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval'] %} - -{% set ALLOWED_DASHBOARDS = ['overview', 'standalone', 'manager', 'managersearch', 'sensor', 'searchnode', 'heavynode', 'eval', 'receiver'] %} -{% set DASHBOARDS = ['overview'] %} -{% if grains.role == 'so-eval' %} - {% do DASHBOARDS.append('eval') %} -{% else %} - {% if not salt['pillar.get']('elasticsearch:true_cluster', False) %} - {% do DASHBOARDS.append('pipeline_overview_nontc') %} - {% else %} - {% do DASHBOARDS.append('pipeline_overview_tc') %} - {% endif %} - {# Grab a unique listing of nodetypes that exists so that we create only the needed dashboards #} - {% for dashboard in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} - {% if dashboard in ALLOWED_DASHBOARDS %} - {% do DASHBOARDS.append(dashboard) %} - {% endif %} - {% endfor %} -{% endif %} - - - -# Grafana all the things -grafanadir: - file.directory: - - name: /nsm/grafana - - user: 939 - - group: 939 - - makedirs: True - -grafanaconfdir: - file.directory: - - name: /opt/so/conf/grafana/etc - - user: 939 - - group: 939 - - makedirs: True - -grafanadashdir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards - - user: 939 - - group: 939 - - makedirs: True - -{% for type in ['eval','manager','managersearch','search_nodes','sensor_nodes','standalone'] %} -remove_dashboard_dir_{{type}}: - file.absent: - - name: /opt/so/conf/grafana/grafana_dashboards/{{type}} -{% endfor %} - -grafana-dashboard-config: - file.managed: - - name: /opt/so/conf/grafana/etc/dashboards/dashboard.yml - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/dashboards/dashboard.yml - - makedirs: True - - -grafana-datasources-config: - file.managed: - - name: /opt/so/conf/grafana/etc/datasources/influxdb.yaml - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/datasources/influxdb.yaml - - makedirs: True - - defaults: - GLOBALS: {{ GLOBALS }} - -grafana-config: - file.managed: - - name: /opt/so/conf/grafana/etc/grafana.ini - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/grafana.ini.jinja - - context: - config: {{ GRAFANA_SETTINGS.config|json }} - -# these are the files that are referenced inside the config such as smtp:cert_file, smtp:cert_key, auth.ldap:config_file, enterprise:license_path -grafana-config-files: - file.recurse: - - name: /opt/so/conf/grafana/etc/files - - user: 939 - - group: 939 - - source: salt://grafana/etc/files - - makedirs: True - -so-grafana-dashboard-folder-delete: - cmd.run: - - name: /usr/sbin/so-grafana-dashboard-folder-delete - - unless: ls /opt/so/state/so-grafana-dashboard-folder-delete-complete - -{% for dashboard in DASHBOARDS | unique %} -{{dashboard}}-dashboard: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/{{dashboard}}.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/dashboards/common_template.json.jinja - - defaults: - DASHBOARD: {{ dashboard }} - PANELS: {{GRAFANA_SETTINGS.dashboards[dashboard].panels}} - TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}} - TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }} - ID: {{ loop.index }} - UID: {{ dashboard }} -{% endfor %} - -so-grafana: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - - hostname: grafana - - user: socore - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - - extra_hosts: - - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}} - - binds: - - /nsm/grafana:/var/lib/grafana:rw - - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro - - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw - - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw - - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw - - /opt/so/conf/grafana/etc/files:/etc/grafana/config/files:ro - - environment: - - GF_SECURITY_ADMIN_PASSWORD={{ ADMINPASS }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-grafana'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - watch: - - file: /opt/so/conf/grafana/* - - require: - - file: grafana-config - -append_so-grafana_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-grafana - -{% endif %} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja b/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja deleted file mode 100644 index 7d0f67135..000000000 --- a/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,223 +0,0 @@ -{ - "id": 100, - "gridPos": { - "x": {{ PANELS.cpu_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.cpu_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.cpu_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.cpu_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container CPU Usage Current", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 1, - "unit": "percent" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/n_cpus/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "color", - "value": { - "mode": "fixed", - "fixedColor": "dark-red" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_cpu", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(\"usage_percent\") FROM \"docker_container_cpu\" WHERE (\"host\" =~ /^$servername$/ AND \"container_name\" =~ /^$containers$/) AND $timeFilter GROUP BY time($__interval), \"container_name\", \"host\" fill(null)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: n_cpus*100", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "n_cpus" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - " * 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja deleted file mode 100644 index 2e2dbe797..000000000 --- a/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,220 +0,0 @@ -{ - "id": 101, - "gridPos": { - "x": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container CPU Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 1, - "unit": "percent" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/n_cpus/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "color", - "value": { - "mode": "fixed", - "fixedColor": "dark-red" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_cpu", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: n_cpus*100", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "system", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_n_cpus" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - " * 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_current_graph.json.jinja b/salt/grafana/panels/cpu_usage_current_graph.json.jinja deleted file mode 100644 index 15c70cedd..000000000 --- a/salt/grafana/panels/cpu_usage_current_graph.json.jinja +++ /dev/null @@ -1,150 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.cpu_usage_current_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_current_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_current_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_idle" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "*-1 + 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_guage.json.jinja b/salt/grafana/panels/cpu_usage_guage.json.jinja deleted file mode 100644 index d5cd949d8..000000000 --- a/salt/grafana/panels/cpu_usage_guage.json.jinja +++ /dev/null @@ -1,126 +0,0 @@ -{ - "id": 9, - "gridPos": { - "x": {{ PANELS.cpu_usage_guage.gridPos.x }}, - "y": {{ PANELS.cpu_usage_guage.gridPos.y }}, - "w": {{ PANELS.cpu_usage_guage.gridPos.w }}, - "h": {{ PANELS.cpu_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "CPU usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_idle" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* -1 + 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja deleted file mode 100644 index dea4c3d8c..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja +++ /dev/null @@ -1,193 +0,0 @@ -{ - "id": 61871, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(usage_user) as \"user\", mean(usage_system) as \"system\", mean(usage_softirq) as \"softirq\", mean(usage_steal) as \"steal\", mean(usage_nice) as \"nice\", mean(usage_irq) as \"irq\", mean(usage_iowait) as \"iowait\", mean(usage_guest) as \"guest\", mean(usage_guest_nice) as \"guest_nice\" FROM \"cpu\" WHERE \"host\" =~ /^$servername$/ and cpu = 'cpu-total' AND $timeFilter GROUP BY time($__interval), *", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_usage_user) as \"trend_user\", mean(mean_usage_system) as \"trend_system\", mean(mean_usage_softirq) as \"trend_softirq\", mean(mean_usage_steal) as \"trend_steal\", mean(mean_usage_nice) as \"trend_nice\", mean(mean_usage_irq) as \"trend_irq\", mean(mean_usage_iowait) as \"trend_iowait\", mean(mean_usage_guest) as \"trend_guest\", mean(mean_usage_guest_nice) as \"trend_guest_nice\" FROM \"so_long_term\".\"cpu\" WHERE \"host\" =~ /^$servername$/ and cpu = 'cpu-total' AND $timeFilter GROUP BY time($__interval), * fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja deleted file mode 100644 index 6a7371038..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69005, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Blocked", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(blocked) as blocked FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja deleted file mode 100644 index 2f56dffaa..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69008, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Paging", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(paging) as paging FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "interval": "30s", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja deleted file mode 100644 index 657321696..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69003, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Running", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(running) as running FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja deleted file mode 100644 index e88272d2d..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69006, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Sleeping", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(sleeping) as sleeping FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja deleted file mode 100644 index d45d59a18..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69007, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Stopped", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(stopped) as stopped FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja deleted file mode 100644 index f0c3005eb..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69009, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Unknown", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(unknown) as unknown FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja deleted file mode 100644 index 20149ae3b..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69004, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Zombies", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(zombies) as zombies FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/disk_io_bytes_graph.json.jinja b/salt/grafana/panels/disk_io_bytes_graph.json.jinja deleted file mode 100644 index 4b9c4c7ff..000000000 --- a/salt/grafana/panels/disk_io_bytes_graph.json.jinja +++ /dev/null @@ -1,189 +0,0 @@ -{ - "id": 60200, - "gridPos": { - "x": {{ PANELS.disk_io_bytes_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_bytes_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_bytes_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_bytes_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O bytes for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bytes", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(read_bytes),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(write_bytes),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_io_requests_graph.json.jinja b/salt/grafana/panels/disk_io_requests_graph.json.jinja deleted file mode 100644 index a3f95772c..000000000 --- a/salt/grafana/panels/disk_io_requests_graph.json.jinja +++ /dev/null @@ -1,190 +0,0 @@ -{ - "id": 13782, - "gridPos": { - "x": {{ PANELS.disk_io_requests_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_requests_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_requests_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_requests_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O requests for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "iops", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(reads),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(writes),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_io_time_graph.json.jinja b/salt/grafana/panels/disk_io_time_graph.json.jinja deleted file mode 100644 index fa7c7b51e..000000000 --- a/salt/grafana/panels/disk_io_time_graph.json.jinja +++ /dev/null @@ -1,189 +0,0 @@ -{ - "id": 56720, - "gridPos": { - "x": {{ PANELS.disk_io_time_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_time_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_time_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_time_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O time for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "ms", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(read_time),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(write_time),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_nsm_graph.json.jinja b/salt/grafana/panels/disk_usage_nsm_graph.json.jinja deleted file mode 100644 index 90212b681..000000000 --- a/salt/grafana/panels/disk_usage_nsm_graph.json.jinja +++ /dev/null @@ -1,211 +0,0 @@ -{ - "id": 68888, - "gridPos": { - "x": {{ PANELS.disk_usage_nsm_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_nsm_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_nsm_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_nsm_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /nsm", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) AS \"trend_total\", mean(mean_used) as \"trend_used\" FROM \"so_long_term\".\"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\" fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 2 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja b/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja deleted file mode 100644 index 7486b29d9..000000000 --- a/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja +++ /dev/null @@ -1,149 +0,0 @@ -{ - "id": 47230, - "gridPos": { - "x": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /nsm", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1, - "min": 0, - "max": 100 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/nsm" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_root_graph.json.jinja b/salt/grafana/panels/disk_usage_root_graph.json.jinja deleted file mode 100644 index 07ac20bbe..000000000 --- a/salt/grafana/panels/disk_usage_root_graph.json.jinja +++ /dev/null @@ -1,211 +0,0 @@ -{ - "id": 61880, - "gridPos": { - "x": {{ PANELS.disk_usage_root_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_root_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_root_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_root_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) AS \"trend_total\", mean(mean_used) as \"trend_used\" FROM \"so_long_term\".\"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\" fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "stepAfter", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 2 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja b/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja deleted file mode 100644 index 90cc3ff9b..000000000 --- a/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja +++ /dev/null @@ -1,149 +0,0 @@ -{ - "id": 67830, - "gridPos": { - "x": {{ PANELS.disk_usage_root_percent_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_root_percent_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_root_percent_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_root_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1, - "min": 0, - "max": 100 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja b/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja deleted file mode 100644 index fd296aeb1..000000000 --- a/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja +++ /dev/null @@ -1,193 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.elasticsearch_document_count_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_document_count_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_document_count_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_document_count_graph.gridPos.h }} - }, - "id": 33, - "links": [], - "maxDataPoints": 750, - "nullPointMode": "connected", - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "docs_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "alias": "Document Count Current" - }, - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_docs_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "alias": "Document Count Trend", - "hide": false - } - ], - "thresholds": [], - "title": "Document Count", - "type": "graph", - "options": { - "alertThreshold": true - }, - "interval": "30s", - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:678" - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:679" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "fill": 1, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": false, - "current": true, - "total": false, - "avg": false, - "alignAsTable": true, - "rightSide": false - }, - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 0 - }, - "aliasColors": {}, - "seriesOverrides": [ - { - "$$hashKey": "object:1050", - "alias": "/Trend/", - "fill": 0, - "linewidth": 4, - "dashes": true, - "dashLength": 4 - } - ], - "timeRegions": [], - "cacheTimeout": null, - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja b/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja deleted file mode 100644 index aee84c813..000000000 --- a/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja +++ /dev/null @@ -1,191 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 6363, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "fielddata_memory_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_fielddata_memory_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Fielddata Cache Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja b/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja deleted file mode 100644 index 0166ae4b6..000000000 --- a/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja +++ /dev/null @@ -1,796 +0,0 @@ -{ - "id": 445549, - "gridPos": { - "x": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Elastic Ingest Performance - $searchnode", - "repeat": "searchnode", - "repeatDirection": "v", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 0, - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "community.id_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_community_id_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "conditionals_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_conditional_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "convert_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_convert_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "data.index.name_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "F", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_date_index_name_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "data_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "G", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_date_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "dissect_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "H", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_dissect_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "dot.expander_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "I", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_dot_expander_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "geoip_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "K", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_geoip_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "grok_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "L", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_grok_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "json_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "O", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_json_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "kv_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "P", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_kv_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "lowercase_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "Q", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_lowercase_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "remove_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "R", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_remove_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "rename_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "S", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_rename_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "script_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "T", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_script_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "url_decodes", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "U", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_user_agent_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - } - ], - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja b/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja deleted file mode 100644 index aaf997836..000000000 --- a/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja +++ /dev/null @@ -1,793 +0,0 @@ -{ - "id": 445548, - "gridPos": { - "x": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Elastic Ingest Performance", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "community.id_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_community_id_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "conditionals_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_conditional_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "convert_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_convert_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "data.index.name_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "F", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_date_index_name_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "data_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "G", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_date_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "dissect_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "H", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_dissect_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "dot.expander_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "I", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_dot_expander_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "geoip_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "K", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_geoip_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "grok_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "L", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_grok_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "json_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "O", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_json_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "kv_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "P", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_kv_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "lowercase_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "Q", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_lowercase_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "remove_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "R", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_remove_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "rename_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "S", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_rename_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "script_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "T", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_script_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "url_decodes", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "U", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_user_agent_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja b/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja deleted file mode 100644 index 2920ef314..000000000 --- a/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja +++ /dev/null @@ -1,153 +0,0 @@ -{ - "id": 445552, - "gridPos": { - "x": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Pipeline Time", - "datasource": "InfluxDB", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "$tag_host", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_pipeline_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/search/" - }, - { - "key": "role", - "value": "heavynode", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ] -} - - - - - - - diff --git a/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja b/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja deleted file mode 100644 index 42ac51038..000000000 --- a/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja +++ /dev/null @@ -1,129 +0,0 @@ -{ - "id": 445552, - "gridPos": { - "x": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Pipeline Time", - "datasource": "InfluxDB", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_pipeline_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - } - ] -} - - - - - - - diff --git a/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja b/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja deleted file mode 100644 index 554809b5c..000000000 --- a/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja +++ /dev/null @@ -1,195 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "cacheTimeout": null, - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_store_size_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_store_size_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_store_size_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_store_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 63442, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "store_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_store_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Store Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja b/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja deleted file mode 100644 index e1d8edd98..000000000 --- a/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja +++ /dev/null @@ -1,192 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_thread_count_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_thread_count_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_thread_count_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_thread_count_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 56565, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Count Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_jvm", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "threads_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Count Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_jvm", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_threads_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Thread Count", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/influxdb_db_size_graph.json.jinja b/salt/grafana/panels/influxdb_db_size_graph.json.jinja deleted file mode 100644 index 71d636fe9..000000000 --- a/salt/grafana/panels/influxdb_db_size_graph.json.jinja +++ /dev/null @@ -1,191 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.influxdb_db_size_graph.gridPos.x }}, - "y": {{ PANELS.influxdb_db_size_graph.gridPos.y }}, - "w": {{ PANELS.influxdb_db_size_graph.gridPos.w }}, - "h": {{ PANELS.influxdb_db_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 69, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "influxsize", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "kbytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "influxsize", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_kbytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "InfluxDB Database Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "deckbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/io_wait_graph.json.jinja b/salt/grafana/panels/io_wait_graph.json.jinja deleted file mode 100644 index 9447563ec..000000000 --- a/salt/grafana/panels/io_wait_graph.json.jinja +++ /dev/null @@ -1,148 +0,0 @@ -{ - "id": 69011, - "gridPos": { - "x": {{ PANELS.io_wait_graph.gridPos.x }}, - "y": {{ PANELS.io_wait_graph.gridPos.y }}, - "w": {{ PANELS.io_wait_graph.gridPos.w }}, - "h": {{ PANELS.io_wait_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "IO Wait", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_iowait" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "description": "", - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/io_wait_stat.json.jinja b/salt/grafana/panels/io_wait_stat.json.jinja deleted file mode 100644 index 4fe4a3d8e..000000000 --- a/salt/grafana/panels/io_wait_stat.json.jinja +++ /dev/null @@ -1,125 +0,0 @@ -{ - "id": 61867, - "gridPos": { - "x": {{ PANELS.io_wait_stat.gridPos.x }}, - "y": {{ PANELS.io_wait_stat.gridPos.y }}, - "w": {{ PANELS.io_wait_stat.gridPos.w }}, - "h": {{ PANELS.io_wait_stat.gridPos.h }} - }, - "type": "stat", - "title": "IOWait", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 40 - }, - { - "color": "dark-red", - "value": 50 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"usage_iowait\"), 1s) FROM \"cpu\" WHERE (host =~ /$servername$/ AND \"cpu\" = 'cpu-total') AND $timeFilter GROUP BY time($interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_iowait" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/load_average_5_minute_stat.json.jinja b/salt/grafana/panels/load_average_5_minute_stat.json.jinja deleted file mode 100644 index 8198a8d19..000000000 --- a/salt/grafana/panels/load_average_5_minute_stat.json.jinja +++ /dev/null @@ -1,118 +0,0 @@ -{ - "id": 61859, - "gridPos": { - "x": {{ PANELS.load_average_5_minute_stat.gridPos.x }}, - "y": {{ PANELS.load_average_5_minute_stat.gridPos.y }}, - "w": {{ PANELS.load_average_5_minute_stat.gridPos.w }}, - "h": {{ PANELS.load_average_5_minute_stat.gridPos.h }} - }, - "type": "stat", - "title": "5 Minute Load Average - $cpucount Cores", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": "$cpucount / 1.5" - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": "$cpucount" - } - ] - }, - "mappings": [ - { - "options": { - "from": null, - "result": { - "text": "N/A" - }, - "to": null - }, - "type": "range" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 1, - "unit": "none" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT last(\"load5\") FROM \"system\" WHERE (\"host\" = '$servername') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "load5" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "cacheTimeout": null, - "maxDataPoints": null -} diff --git a/salt/grafana/panels/load_averages_graph.json.jinja b/salt/grafana/panels/load_averages_graph.json.jinja deleted file mode 100644 index b92a5ba6c..000000000 --- a/salt/grafana/panels/load_averages_graph.json.jinja +++ /dev/null @@ -1,187 +0,0 @@ -{ - "id": 61869, - "gridPos": { - "x": {{ PANELS.load_averages_graph.gridPos.x }}, - "y": {{ PANELS.load_averages_graph.gridPos.y }}, - "w": {{ PANELS.load_averages_graph.gridPos.w }}, - "h": {{ PANELS.load_averages_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "1 Minute Load Average", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(load1) as \"1 minute\", last(n_cpus) as \"Total Cores\" FROM \"system\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), * ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_load1) as \"trend_1 minute\" FROM \"so_long_term\".\"system\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), * fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja b/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja deleted file mode 100644 index 7812ca0bd..000000000 --- a/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja +++ /dev/null @@ -1,403 +0,0 @@ -{ - "id": 77741, - "gridPos": { - "x": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.x }}, - "y": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.y }}, - "w": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.w }}, - "h": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Manager Logstash Events", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "description": "Events from the grid to redis", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 50, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Incoming/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/Outgoing/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Outgoing hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Incoming hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/hidden/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "legend": true, - "tooltip": true, - "viz": false - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Incoming", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Outgoing", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Incoming hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Outgoing hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ], - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja deleted file mode 100644 index c1c9ed39a..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja +++ /dev/null @@ -1,230 +0,0 @@ -{ - "id": 76, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS In", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) as \"current_in\" FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - }, - { - "refId": "B", - "hide": false, - "policy": "so_long_term", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "mean_in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"mean_in\"), 1s) as \"trend_in\" FROM \"so_long_term\".\"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null, - "transformations": [] -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja deleted file mode 100644 index f492dd4b9..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja +++ /dev/null @@ -1,136 +0,0 @@ -{ - "id": 23, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.h }} - }, - "type": "stat", - "title": "Estimated EPS In - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-red", - "value": null - }, - { - "color": "dark-green", - "value": 1 - } - ] - }, - "mappings": [ - { - "type": "special", - "options": { - "match": "null", - "result": { - "text": "N/A" - } - } - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events" - } - ], - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja deleted file mode 100644 index 42399b5ca..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja +++ /dev/null @@ -1,156 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS In - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true, - "alias": "Total EPS" - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja deleted file mode 100644 index 16878ee6e..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja +++ /dev/null @@ -1,230 +0,0 @@ -{ - "id": 69000, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS Out", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"out\"), 1s) as \"current_out\" FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - }, - { - "refId": "B", - "hide": false, - "policy": "so_long_term", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "mean_in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"mean_out\"), 1s) as \"trend_out\" FROM \"so_long_term\".\"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja deleted file mode 100644 index dc87661f5..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja +++ /dev/null @@ -1,136 +0,0 @@ -{ - "id": 22323, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.h }} - }, - "type": "stat", - "title": "Estimated EPS Out - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-red", - "value": null - }, - { - "color": "dark-green", - "value": 1 - } - ] - }, - "mappings": [ - { - "type": "special", - "options": { - "match": "null", - "result": { - "text": "N/A" - } - } - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events" - } - ], - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja deleted file mode 100644 index 3d1600c39..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja +++ /dev/null @@ -1,156 +0,0 @@ -{ - "id": 69002, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS Out - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true, - "alias": "Total EPS" - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja b/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja deleted file mode 100644 index ab7a569bb..000000000 --- a/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja +++ /dev/null @@ -1,411 +0,0 @@ -{ - "id": 445554, - "gridPos": { - "x": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.x }}, - "y": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.y }}, - "w": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.w }}, - "h": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Indexing Events Per Second - $searchnode", - "repeat": "searchnode", - "repeatDirection": "v", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 50, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Incoming/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/Outgoing/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Outgoing hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Incoming hidden" - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/hidden/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "legend": true, - "tooltip": true, - "viz": false - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Incoming", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Outgoing", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Incoming hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Outgoing hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja b/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja deleted file mode 100644 index 81876a606..000000000 --- a/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja +++ /dev/null @@ -1,170 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Total Searchnode Indexing Events Per Second", - "transformations": [ - { - "id": "calculateField", - "options": { - "alias": "Total EPS", - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "fixed", - "fixedColor": "orange" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/search/" - }, - { - "key": "role", - "value": "heavynode", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_graph.json.jinja b/salt/grafana/panels/management_interface_drops_graph.json.jinja deleted file mode 100644 index 9de6c8f19..000000000 --- a/salt/grafana/panels/management_interface_drops_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61877, - "gridPos": { - "x": {{ PANELS.management_interface_drops_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_in), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_out), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja b/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja deleted file mode 100644 index 1ca096743..000000000 --- a/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja +++ /dev/null @@ -1,142 +0,0 @@ -{ - "id": 61877, - "gridPos": { - "x": {{ PANELS.management_interface_drops_inbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_inbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_inbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja b/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja deleted file mode 100644 index 91fcb5b22..000000000 --- a/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja +++ /dev/null @@ -1,142 +0,0 @@ -{ - "id": 188189, - "gridPos": { - "x": {{ PANELS.management_interface_drops_outbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_outbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_outbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_outbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops - Outbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_packets_graph.json.jinja b/salt/grafana/panels/management_interface_packets_graph.json.jinja deleted file mode 100644 index b3e429f2f..000000000 --- a/salt/grafana/panels/management_interface_packets_graph.json.jinja +++ /dev/null @@ -1,283 +0,0 @@ -{ - "id": 61875, - "gridPos": { - "x": {{ PANELS.management_interface_packets_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_packets_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_packets_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_packets_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Packets", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_recv), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_sent), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_recv), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_sent), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Packets per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja deleted file mode 100644 index e15bef885..000000000 --- a/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja +++ /dev/null @@ -1,409 +0,0 @@ -{ - "id": 18, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_both_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_both_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_both_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_both_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic ", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "dash": [ - 4, - 10 - ], - "fill": "dash" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: RX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: TX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: RX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "linear" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: TX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "linear" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja deleted file mode 100644 index 3f876a18d..000000000 --- a/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja +++ /dev/null @@ -1,164 +0,0 @@ -{ - "id": 18, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" = '$servername' AND \"interface\" = '$manint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja deleted file mode 100644 index 48817d448..000000000 --- a/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja +++ /dev/null @@ -1,162 +0,0 @@ -{ - "id": 69014, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic - Outbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_usage_graph.json.jinja b/salt/grafana/panels/memory_usage_graph.json.jinja deleted file mode 100644 index 662eb18c1..000000000 --- a/salt/grafana/panels/memory_usage_graph.json.jinja +++ /dev/null @@ -1,208 +0,0 @@ -{ - "id": 61873, - "gridPos": { - "x": {{ PANELS.memory_usage_graph.gridPos.x }}, - "y": {{ PANELS.memory_usage_graph.gridPos.y }}, - "w": {{ PANELS.memory_usage_graph.gridPos.w }}, - "h": {{ PANELS.memory_usage_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Memory Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) as total, mean(used) as used, mean(cached) as cached, mean(free) as free, mean(buffered) as buffered FROM \"mem\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) as trend_total, mean(mean_used) as trend_used, mean(mean_cached) as trend_cached, mean(mean_free) as trend_free, mean(mean_buffered) as trend_buffered FROM \"so_long_term\".\"mem\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_usage_percent_graph.json.jinja b/salt/grafana/panels/memory_usage_percent_graph.json.jinja deleted file mode 100644 index 620c3ea72..000000000 --- a/salt/grafana/panels/memory_usage_percent_graph.json.jinja +++ /dev/null @@ -1,139 +0,0 @@ -{ - "id": 69013, - "gridPos": { - "x": {{ PANELS.memory_usage_percent_graph.gridPos.x }}, - "y": {{ PANELS.memory_usage_percent_graph.gridPos.y }}, - "w": {{ PANELS.memory_usage_percent_graph.gridPos.w }}, - "h": {{ PANELS.memory_usage_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Memory Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "mem", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "interval": "30s", - "description": "", - "timeFrom": null, - "timeShift": null, - "maxDataPoints": null -} diff --git a/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja b/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja deleted file mode 100644 index 8a5ee72ce..000000000 --- a/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,143 +0,0 @@ -{ - "id": 102, - "gridPos": { - "x": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Memory Usage Current", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_mem", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja deleted file mode 100644 index fb3aa402c..000000000 --- a/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,143 +0,0 @@ -{ - "id": 103, - "gridPos": { - "x": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Memory Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_mem", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "mean_usage_percent" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_drops_graph.json.jinja b/salt/grafana/panels/monitor_interface_drops_graph.json.jinja deleted file mode 100644 index 993926156..000000000 --- a/salt/grafana/panels/monitor_interface_drops_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61387, - "gridPos": { - "x": {{ PANELS.monitor_interface_drops_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_drops_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_drops_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_drops_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Drops", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_in), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_out), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja b/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja deleted file mode 100644 index 2c4574f84..000000000 --- a/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja +++ /dev/null @@ -1,125 +0,0 @@ -{ - "id": 188190, - "gridPos": { - "x": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Drops - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_packets_graph.json.jinja b/salt/grafana/panels/monitor_interface_packets_graph.json.jinja deleted file mode 100644 index 4c44fdb87..000000000 --- a/salt/grafana/panels/monitor_interface_packets_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61878, - "gridPos": { - "x": {{ PANELS.monitor_interface_packets_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_packets_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_packets_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_packets_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Packets", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "last" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_recv), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_sent), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_recv), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_sent), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Packets per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja deleted file mode 100644 index 3c1a6fc74..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja +++ /dev/null @@ -1,276 +0,0 @@ -{ - "id": 10, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Traffic", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "dash": [ - 4, - 10 - ], - "fill": "dash" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "last" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: RX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: RX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja deleted file mode 100644 index 5365bd3ac..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja +++ /dev/null @@ -1,167 +0,0 @@ -{ - "id": 188188, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Traffic - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - }, - "lineStyle": { - "fill": "solid" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" = '$servername' AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja deleted file mode 100644 index 67e92668d..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja +++ /dev/null @@ -1,178 +0,0 @@ -{ - "id": 224244, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Traffic - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "alias": "Total Monitor Traffic", - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "auto", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 1 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "decimals": 1, - "unit": "bps" - }, - "overrides": [] - }, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" =~ /^$servername$/ AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "cacheTimeout": null, - "description": "", - "maxDataPoints": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja b/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja deleted file mode 100644 index 283d93f7a..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja +++ /dev/null @@ -1,152 +0,0 @@ -{ - "id": 24, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_stat.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_stat.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_stat.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_stat.gridPos.h }} - }, - "type": "stat", - "title": "Monitor Traffic - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 1 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "unit": "bps" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "bytes_recv" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - }, - { - "type": "math", - "params": [ - "*8" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ], - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" =~ /^$servername$/ AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "interval": null, - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "alias": "Monitor Traffic", - "replaceFields": true - } - } - ], - "description": "" -} diff --git a/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja b/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja deleted file mode 100644 index 9a9d81504..000000000 --- a/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,232 +0,0 @@ -{ - "id": 61868, - "gridPos": { - "x": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Network Usage Current", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name RX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "rx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ], - "hide": false - }, - { - "alias": "$tag_host: $tag_container_name TX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "tx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 5, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja deleted file mode 100644 index b8dc975d8..000000000 --- a/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,231 +0,0 @@ -{ - "id": 61461, - "gridPos": { - "x": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Network Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "5m", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name RX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_rx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: $tag_container_name TX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_tx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 5, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/nsm_used_guage.json.jinja b/salt/grafana/panels/nsm_used_guage.json.jinja deleted file mode 100644 index 3175d3bfd..000000000 --- a/salt/grafana/panels/nsm_used_guage.json.jinja +++ /dev/null @@ -1,121 +0,0 @@ -{ - "id": 12, - "gridPos": { - "x": {{ PANELS.nsm_used_guage.gridPos.x }}, - "y": {{ PANELS.nsm_used_guage.gridPos.y }}, - "w": {{ PANELS.nsm_used_guage.gridPos.w }}, - "h": {{ PANELS.nsm_used_guage.gridPos.h }} - }, - "type": "gauge", - "title": "NSM used", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 85 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 95 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/nsm" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/pcap_retention_stat.json.jinja b/salt/grafana/panels/pcap_retention_stat.json.jinja deleted file mode 100644 index 138b18e6b..000000000 --- a/salt/grafana/panels/pcap_retention_stat.json.jinja +++ /dev/null @@ -1,113 +0,0 @@ -{ - "id": 26, - "gridPos": { - "x": {{ PANELS.pcap_retention_stat.gridPos.x }}, - "y": {{ PANELS.pcap_retention_stat.gridPos.y }}, - "w": {{ PANELS.pcap_retention_stat.gridPos.w }}, - "h": {{ PANELS.pcap_retention_stat.gridPos.h }} - }, - "type": "stat", - "title": "PCAP Retention", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "unit": "d" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "/86400" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/process_status_graph.json.jinja b/salt/grafana/panels/process_status_graph.json.jinja deleted file mode 100644 index 302175c36..000000000 --- a/salt/grafana/panels/process_status_graph.json.jinja +++ /dev/null @@ -1,203 +0,0 @@ -{ - "id": 61852, - "gridPos": { - "x": {{ PANELS.process_status_graph.gridPos.x }}, - "y": {{ PANELS.process_status_graph.gridPos.y }}, - "w": {{ PANELS.process_status_graph.gridPos.w }}, - "h": {{ PANELS.process_status_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Process Status", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "processes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(running) as running, mean(blocked) as blocked, mean(sleeping) as sleeping, mean(stopped) as stopped, mean(zombies) as zombies, mean(paging) as paging, mean(unknown) as unknown FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "blocked" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$server$/" - } - ] - }, - { - "alias": "$tag_host: $col", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "processes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_running) as trend_running, mean(mean_blocked) as trend_blocked, mean(mean_sleeping) as trend_sleeping, mean(mean_stopped) as trend_stopped, mean(mean_zombies) as trend_zombies, mean(mean_paging) as trend_paging, mean(mean_unknown) as trend_unknown FROM \"so_long_term\".\"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "blocked" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$server$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/ram_usage_guage.json.jinja b/salt/grafana/panels/ram_usage_guage.json.jinja deleted file mode 100644 index 813b9cba8..000000000 --- a/salt/grafana/panels/ram_usage_guage.json.jinja +++ /dev/null @@ -1,114 +0,0 @@ -{ - "id": 61860, - "gridPos": { - "x": {{ PANELS.ram_usage_guage.gridPos.x }}, - "y": {{ PANELS.ram_usage_guage.gridPos.y }}, - "w": {{ PANELS.ram_usage_guage.gridPos.w }}, - "h": {{ PANELS.ram_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "RAM usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "mem", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/redis_queue_graph.json.jinja b/salt/grafana/panels/redis_queue_graph.json.jinja deleted file mode 100644 index b33290008..000000000 --- a/salt/grafana/panels/redis_queue_graph.json.jinja +++ /dev/null @@ -1,208 +0,0 @@ -{ - "id": 55, - "gridPos": { - "x": {{ PANELS.redis_queue_graph.gridPos.x }}, - "y": {{ PANELS.redis_queue_graph.gridPos.y }}, - "w": {{ PANELS.redis_queue_graph.gridPos.w }}, - "h": {{ PANELS.redis_queue_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Redis Queue", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "short", - "decimals": 2 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Queue Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "unparsed" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "condition": "OR", - "key": "role", - "operator": "=", - "value": "standalone" - } - ] - }, - { - "alias": "Queue Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_unparsed" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "condition": "OR", - "key": "role", - "operator": "=", - "value": "standalone" - } - ] - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/redis_queue_stat.json.jinja b/salt/grafana/panels/redis_queue_stat.json.jinja deleted file mode 100644 index b0b3d8946..000000000 --- a/salt/grafana/panels/redis_queue_stat.json.jinja +++ /dev/null @@ -1,95 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "color": { - "mode": "thresholds" - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.redis_queue_stat.gridPos.x }}, - "y": {{ PANELS.redis_queue_stat.gridPos.y }}, - "w": {{ PANELS.redis_queue_stat.gridPos.w }}, - "h": {{ PANELS.redis_queue_stat.gridPos.h }} - }, - "id": 68894, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "unparsed" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "title": "Redis Unparsed Queue", - "type": "stat", - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/rootfs_used_guage.json.jinja b/salt/grafana/panels/rootfs_used_guage.json.jinja deleted file mode 100644 index b628d247c..000000000 --- a/salt/grafana/panels/rootfs_used_guage.json.jinja +++ /dev/null @@ -1,121 +0,0 @@ -{ - "id": 61866, - "gridPos": { - "x": {{ PANELS.rootfs_used_guage.gridPos.x }}, - "y": {{ PANELS.rootfs_used_guage.gridPos.y }}, - "w": {{ PANELS.rootfs_used_guage.gridPos.w }}, - "h": {{ PANELS.rootfs_used_guage.gridPos.h }} - }, - "type": "gauge", - "title": "RootFS used", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/row_cpu.json.jinja b/salt/grafana/panels/row_cpu.json.jinja deleted file mode 100644 index 6384048d6..000000000 --- a/salt/grafana/panels/row_cpu.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_cpu.gridPos.x }}, - "y": {{ PANELS.row_cpu.gridPos.y }}, - "w": {{ PANELS.row_cpu.gridPos.w }}, - "h": {{ PANELS.row_cpu.gridPos.h }} - }, - "id": 2, - "panels": [], - "repeat": null, - "title": "CPU", - "type": "row" - } diff --git a/salt/grafana/panels/row_disk_iops.json.jinja b/salt/grafana/panels/row_disk_iops.json.jinja deleted file mode 100644 index f54494825..000000000 --- a/salt/grafana/panels/row_disk_iops.json.jinja +++ /dev/null @@ -1,22 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_disk_iops.gridPos.x }}, - "y": {{ PANELS.row_disk_iops.gridPos.y }}, - "w": {{ PANELS.row_disk_iops.gridPos.w }}, - "h": {{ PANELS.row_disk_iops.gridPos.h }} - }, - "id": 62055, - "panels": [], - "repeat": "disk", - "scopedVars": { - "disk": { - "selected": false, - "text": "sda", - "value": "sda" - } - }, - "title": "Disk IOPS for /dev/$disk", - "type": "row" -} diff --git a/salt/grafana/panels/row_disk_usage.json.jinja b/salt/grafana/panels/row_disk_usage.json.jinja deleted file mode 100644 index 2cfac7cb4..000000000 --- a/salt/grafana/panels/row_disk_usage.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_disk_usage.gridPos.x }}, - "y": {{ PANELS.row_disk_usage.gridPos.y }}, - "w": {{ PANELS.row_disk_usage.gridPos.w }}, - "h": {{ PANELS.row_disk_usage.gridPos.h }} - }, - "id": 3333, - "panels": [], - "repeat": null, - "title": "Disk Usage", - "type": "row" - } diff --git a/salt/grafana/panels/row_docker_details.json.jinja b/salt/grafana/panels/row_docker_details.json.jinja deleted file mode 100644 index bb06a57ed..000000000 --- a/salt/grafana/panels/row_docker_details.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_docker_details.gridPos.x }}, - "y": {{ PANELS.row_docker_details.gridPos.y }}, - "w": {{ PANELS.row_docker_details.gridPos.w }}, - "h": {{ PANELS.row_docker_details.gridPos.h }} - }, - "id": 4, - "panels": [], - "repeat": null, - "title": "Docker Details", - "type": "row" - } diff --git a/salt/grafana/panels/row_elasticsearch.json.jinja b/salt/grafana/panels/row_elasticsearch.json.jinja deleted file mode 100644 index 04340c3e2..000000000 --- a/salt/grafana/panels/row_elasticsearch.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_elasticsearch.gridPos.x }}, - "y": {{ PANELS.row_elasticsearch.gridPos.y }}, - "w": {{ PANELS.row_elasticsearch.gridPos.w }}, - "h": {{ PANELS.row_elasticsearch.gridPos.h }} - }, - "id": 2442, - "panels": [], - "repeat": null, - "title": "Elasticsearch", - "type": "row" - } diff --git a/salt/grafana/panels/row_influxdb.json.jinja b/salt/grafana/panels/row_influxdb.json.jinja deleted file mode 100644 index 7f3251cc9..000000000 --- a/salt/grafana/panels/row_influxdb.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_influxdb.gridPos.x }}, - "y": {{ PANELS.row_influxdb.gridPos.y }}, - "w": {{ PANELS.row_influxdb.gridPos.w }}, - "h": {{ PANELS.row_influxdb.gridPos.h }} - }, - "id": 43434, - "panels": [], - "repeat": null, - "title": "InfluxDB", - "type": "row" - } diff --git a/salt/grafana/panels/row_logstash.json.jinja b/salt/grafana/panels/row_logstash.json.jinja deleted file mode 100644 index e934dbd0e..000000000 --- a/salt/grafana/panels/row_logstash.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_logstash.gridPos.x }}, - "y": {{ PANELS.row_logstash.gridPos.y }}, - "w": {{ PANELS.row_logstash.gridPos.w }}, - "h": {{ PANELS.row_logstash.gridPos.h }} - }, - "id": 24242, - "panels": [], - "repeat": null, - "title": "Logstash", - "type": "row" - } diff --git a/salt/grafana/panels/row_memory.json.jinja b/salt/grafana/panels/row_memory.json.jinja deleted file mode 100644 index 33d203138..000000000 --- a/salt/grafana/panels/row_memory.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_memory.gridPos.x }}, - "y": {{ PANELS.row_memory.gridPos.y }}, - "w": {{ PANELS.row_memory.gridPos.w }}, - "h": {{ PANELS.row_memory.gridPos.h }} - }, - "id": 3, - "panels": [], - "repeat": null, - "title": "Memory", - "type": "row" - } diff --git a/salt/grafana/panels/row_network.json.jinja b/salt/grafana/panels/row_network.json.jinja deleted file mode 100644 index 6f611f580..000000000 --- a/salt/grafana/panels/row_network.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_network.gridPos.x }}, - "y": {{ PANELS.row_network.gridPos.y }}, - "w": {{ PANELS.row_network.gridPos.w }}, - "h": {{ PANELS.row_network.gridPos.h }} - }, - "id": 333, - "panels": [], - "repeat": null, - "title": "Network", - "type": "row" - } diff --git a/salt/grafana/panels/row_overview.json.jinja b/salt/grafana/panels/row_overview.json.jinja deleted file mode 100644 index d05a9394d..000000000 --- a/salt/grafana/panels/row_overview.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_overview.gridPos.x }}, - "y": {{ PANELS.row_overview.gridPos.y }}, - "w": {{ PANELS.row_overview.gridPos.w }}, - "h": {{ PANELS.row_overview.gridPos.h }} - }, - "id": 1, - "panels": [], - "repeat": null, - "title": "Overview", - "type": "row" - } diff --git a/salt/grafana/panels/row_packet_loss.json.jinja b/salt/grafana/panels/row_packet_loss.json.jinja deleted file mode 100644 index b9d2c8a96..000000000 --- a/salt/grafana/panels/row_packet_loss.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_packet_loss.gridPos.x }}, - "y": {{ PANELS.row_packet_loss.gridPos.y }}, - "w": {{ PANELS.row_packet_loss.gridPos.w }}, - "h": {{ PANELS.row_packet_loss.gridPos.h }} - }, - "id": 816341, - "panels": [], - "repeat": null, - "title": "Packet Loss", - "type": "row" - } diff --git a/salt/grafana/panels/row_redis.json.jinja b/salt/grafana/panels/row_redis.json.jinja deleted file mode 100644 index f0be53693..000000000 --- a/salt/grafana/panels/row_redis.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_redis.gridPos.x }}, - "y": {{ PANELS.row_redis.gridPos.y }}, - "w": {{ PANELS.row_redis.gridPos.w }}, - "h": {{ PANELS.row_redis.gridPos.h }} - }, - "id": 24812, - "panels": [], - "repeat": null, - "title": "Redis", - "type": "row" - } diff --git a/salt/grafana/panels/row_stenographer.json.jinja b/salt/grafana/panels/row_stenographer.json.jinja deleted file mode 100644 index 004757748..000000000 --- a/salt/grafana/panels/row_stenographer.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_stenographer.gridPos.x }}, - "y": {{ PANELS.row_stenographer.gridPos.y }}, - "w": {{ PANELS.row_stenographer.gridPos.w }}, - "h": {{ PANELS.row_stenographer.gridPos.h }} - }, - "id": 8812, - "panels": [], - "repeat": null, - "title": "Stenographer", - "type": "row" - } diff --git a/salt/grafana/panels/row_suricata.json.jinja b/salt/grafana/panels/row_suricata.json.jinja deleted file mode 100644 index d4dead5c5..000000000 --- a/salt/grafana/panels/row_suricata.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_suricata.gridPos.x }}, - "y": {{ PANELS.row_suricata.gridPos.y }}, - "w": {{ PANELS.row_suricata.gridPos.w }}, - "h": {{ PANELS.row_suricata.gridPos.h }} - }, - "id": 8481, - "panels": [], - "repeat": null, - "title": "Suricata", - "type": "row" - } diff --git a/salt/grafana/panels/row_swap.json.jinja b/salt/grafana/panels/row_swap.json.jinja deleted file mode 100644 index c465dcc6e..000000000 --- a/salt/grafana/panels/row_swap.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_swap.gridPos.x }}, - "y": {{ PANELS.row_swap.gridPos.y }}, - "w": {{ PANELS.row_swap.gridPos.w }}, - "h": {{ PANELS.row_swap.gridPos.h }} - }, - "id": 444, - "panels": [], - "repeat": null, - "title": "Swap", - "type": "row" - } diff --git a/salt/grafana/panels/row_zeek.json.jinja b/salt/grafana/panels/row_zeek.json.jinja deleted file mode 100644 index 1b236a543..000000000 --- a/salt/grafana/panels/row_zeek.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_zeek.gridPos.x }}, - "y": {{ PANELS.row_zeek.gridPos.y }}, - "w": {{ PANELS.row_zeek.gridPos.w }}, - "h": {{ PANELS.row_zeek.gridPos.h }} - }, - "id": 21281, - "panels": [], - "repeat": null, - "title": "Zeek", - "type": "row" - } diff --git a/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja b/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja deleted file mode 100644 index 0fb56dbe7..000000000 --- a/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja +++ /dev/null @@ -1,229 +0,0 @@ -{ - "id": 19, - "gridPos": { - "x": {{ PANELS.stenographer_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.stenographer_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.stenographer_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.stenographer_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Stenographer Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.stenographer_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja b/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja deleted file mode 100644 index 863772fcd..000000000 --- a/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja +++ /dev/null @@ -1,114 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:1120", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.stenographer_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.stenographer_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.stenographer_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.stenographer_packet_loss_stat.gridPos.h }} - }, - "id": 22, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Stenographer Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "cacheTimeout": null, - "interval": null, - "pluginVersion": "7.5.4" -} diff --git a/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja b/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja deleted file mode 100644 index 83c51a73d..000000000 --- a/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja +++ /dev/null @@ -1,207 +0,0 @@ -{ - "id": 2239, - "gridPos": { - "x": {{ PANELS.stenographer_pcap_retention_graph.gridPos.x }}, - "y": {{ PANELS.stenographer_pcap_retention_graph.gridPos.y }}, - "w": {{ PANELS.stenographer_pcap_retention_graph.gridPos.w }}, - "h": {{ PANELS.stenographer_pcap_retention_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Stenographer PCAP Retention", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "s", - "decimals": 2 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "hidden", - "placement": "bottom", - "calcs": [] - } - }, - "targets": [ - { - "alias": "$tag_host: Oldest Pcap Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "$tag_host: Oldest Pcap Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/suricata_packet_loss_graph.json.jinja b/salt/grafana/panels/suricata_packet_loss_graph.json.jinja deleted file mode 100644 index eb26f9d8b..000000000 --- a/salt/grafana/panels/suricata_packet_loss_graph.json.jinja +++ /dev/null @@ -1,241 +0,0 @@ -{ - "id": 21, - "gridPos": { - "x": {{ PANELS.suricata_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.suricata_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.suricata_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.suricata_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Suricata Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.suricata_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/suricata_packet_loss_stat.json.jinja b/salt/grafana/panels/suricata_packet_loss_stat.json.jinja deleted file mode 100644 index 87a3f48e5..000000000 --- a/salt/grafana/panels/suricata_packet_loss_stat.json.jinja +++ /dev/null @@ -1,120 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:949", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.suricata_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.suricata_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.suricata_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.suricata_packet_loss_stat.gridPos.h }} - }, - "id": 20, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Suricata Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "cacheTimeout": null, - "interval": null -} diff --git a/salt/grafana/panels/swap_io_bytes_graph.json.jinja b/salt/grafana/panels/swap_io_bytes_graph.json.jinja deleted file mode 100644 index fe7989870..000000000 --- a/salt/grafana/panels/swap_io_bytes_graph.json.jinja +++ /dev/null @@ -1,187 +0,0 @@ -{ - "id": 68890, - "gridPos": { - "x": {{ PANELS.swap_io_bytes_graph.gridPos.x }}, - "y": {{ PANELS.swap_io_bytes_graph.gridPos.y }}, - "w": {{ PANELS.swap_io_bytes_graph.gridPos.w }}, - "h": {{ PANELS.swap_io_bytes_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Swap I/O Bytes", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\")) as \"in\", non_negative_derivative(mean(\"out\")) as \"out\" FROM \"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"mean_in\")) as \"trend_in\", non_negative_derivative(mean(\"mean_out\")) as \"trend_out\" FROM \"so_long_term\".\"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/swap_usage_bytes_graph.json.jinja b/salt/grafana/panels/swap_usage_bytes_graph.json.jinja deleted file mode 100644 index 4986b72a5..000000000 --- a/salt/grafana/panels/swap_usage_bytes_graph.json.jinja +++ /dev/null @@ -1,184 +0,0 @@ -{ - "type": "graph", - "title": "Swap Usage", - "gridPos": { - "x": {{ PANELS.swap_usage_bytes_graph.gridPos.x }}, - "y": {{ PANELS.swap_usage_bytes_graph.gridPos.y }}, - "w": {{ PANELS.swap_usage_bytes_graph.gridPos.w }}, - "h": {{ PANELS.swap_usage_bytes_graph.gridPos.h }} - }, - "id": 68892, - "targets": [ - { - "refId": "A", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "value" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "query": "SELECT mean(used) as \"used\", mean(total) as \"total\" FROM \"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "alias": "$tag_host: $col" - }, - { - "refId": "B", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "value" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "query": "SELECT mean(mean_used) as \"trend_used\", mean(mean_total) as \"trend_total\" FROM \"so_long_term\".\"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "alias": "$tag_host: $col", - "hide": false - } - ], - "options": { - "alertThreshold": true - }, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": null, - "show": true, - "logBase": 1, - "min": "0", - "max": null, - "format": "bytes", - "$$hashKey": "object:515" - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:516" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "fill": 1, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": true, - "current": true, - "total": false, - "avg": true, - "alignAsTable": true - }, - "nullPointMode": "connected", - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 0 - }, - "aliasColors": {}, - "seriesOverrides": [ - { - "$$hashKey": "object:575", - "alias": "/total/", - "fill": 0, - "color": "#C4162A" - }, - { - "$$hashKey": "object:596", - "alias": "/trend/", - "fill": 0, - "linewidth": 4, - "dashes": true, - "dashLength": 4 - } - ], - "thresholds": [], - "timeRegions": [], - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "maxDataPoints": 750, - "interval": "30s" -} diff --git a/salt/grafana/panels/swap_usage_guage.json.jinja b/salt/grafana/panels/swap_usage_guage.json.jinja deleted file mode 100644 index f7e3d4f34..000000000 --- a/salt/grafana/panels/swap_usage_guage.json.jinja +++ /dev/null @@ -1,115 +0,0 @@ -{ - "id": 61863, - "gridPos": { - "x": {{ PANELS.swap_usage_guage.gridPos.x }}, - "y": {{ PANELS.swap_usage_guage.gridPos.y }}, - "w": {{ PANELS.swap_usage_guage.gridPos.w }}, - "h": {{ PANELS.swap_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "Swap usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 50 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 70 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "swap", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/swap_usage_percent_graph.json.jinja b/salt/grafana/panels/swap_usage_percent_graph.json.jinja deleted file mode 100644 index 875107fd7..000000000 --- a/salt/grafana/panels/swap_usage_percent_graph.json.jinja +++ /dev/null @@ -1,141 +0,0 @@ -{ - "id": 69873, - "gridPos": { - "x": {{ PANELS.swap_usage_percent_graph.gridPos.x }}, - "y": {{ PANELS.swap_usage_percent_graph.gridPos.y }}, - "w": {{ PANELS.swap_usage_percent_graph.gridPos.w }}, - "h": {{ PANELS.swap_usage_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Swap Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "swap", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s", - "maxDataPoints": null -} diff --git a/salt/grafana/panels/system_uptime.json.jinja b/salt/grafana/panels/system_uptime.json.jinja deleted file mode 100644 index fc2cb69ac..000000000 --- a/salt/grafana/panels/system_uptime.json.jinja +++ /dev/null @@ -1,91 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgb(255, 255, 255)", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.system_uptime.gridPos.x }}, - "y": {{ PANELS.system_uptime.gridPos.y }}, - "w": {{ PANELS.system_uptime.gridPos.w }}, - "h": {{ PANELS.system_uptime.gridPos.h }} - }, - "id": 39, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "uptime" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "title": "System Uptime", - "type": "stat" -} diff --git a/salt/grafana/panels/system_uptime_graph.json.jinja b/salt/grafana/panels/system_uptime_graph.json.jinja deleted file mode 100644 index bf26b520f..000000000 --- a/salt/grafana/panels/system_uptime_graph.json.jinja +++ /dev/null @@ -1,148 +0,0 @@ -{ - "type": "graph", - "title": "System Uptime", - "gridPos": { - "x": {{ PANELS.system_uptime_graph.gridPos.x }}, - "y": {{ PANELS.system_uptime_graph.gridPos.y }}, - "w": {{ PANELS.system_uptime_graph.gridPos.w }}, - "h": {{ PANELS.system_uptime_graph.gridPos.h }} - }, - "id": 69016, - "targets": [ - { - "refId": "A", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "tag", - "params": [ - "role" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "uptime" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "measurement": "system", - "alias": "$tag_host $tag_role" - } - ], - "options": { - "alertThreshold": true - }, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": "", - "show": true, - "logBase": 1, - "min": "0", - "max": "604800", - "format": "s", - "$$hashKey": "object:213", - "decimals": 1 - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:214" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": false, - "current": true, - "total": false, - "avg": false, - "alignAsTable": true, - "rightSide": true - }, - "nullPointMode": "connected", - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 1 - }, - "aliasColors": {}, - "seriesOverrides": [], - "thresholds": [], - "timeRegions": [], - "fill": 0, - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "decimals": 1, - "description": "" -} diff --git a/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja b/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja deleted file mode 100644 index ad4ff2805..000000000 --- a/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,168 +0,0 @@ -{ - "aliasColors": {}, - "dashLength": 10, - "datasource": "InfluxDB", - "decimals": 1, - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.uptime_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.uptime_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.uptime_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.uptime_docker_combined_current_graph.gridPos.h }} - }, - "id": 68896, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": false, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "pluginVersion": "7.5.4", - "pointradius": 2, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "targets": [ - { - "alias": "$tag_host $tag_role $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "tag", - "params": [ - "role" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_status", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT last(\"uptime_ns\") FROM \"docker_container_status\" WHERE (\"host\" =~ /^$servername$/ AND \"container_name\" =~ /^$containers$/) AND $timeFilter GROUP BY time($__interval), \"container_name\", \"host\", \"role\" fill(null)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "uptime_ns" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ], - "slimit": "", - "limit": "" - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Container Uptime Current", - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:192", - "format": "ns", - "label": null, - "logBase": 1, - "max": "604800000000000", - "min": "0", - "show": true, - "decimals": 1 - }, - { - "$$hashKey": "object:193", - "decimals": 2, - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - }, - "bars": false, - "dashes": false, - "fill": 0, - "fillGradient": 0, - "hiddenSeries": false, - "percentage": false, - "points": false, - "stack": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja deleted file mode 100644 index a4be68137..000000000 --- a/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,165 +0,0 @@ -{ - "id": 68999, - "gridPos": { - "x": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.h }} - }, - "type": "graph", - "title": "Container Uptime Trend", - "datasource": "InfluxDB", - "thresholds": [ - { - "$$hashKey": "object:1299", - "colorMode": "critical", - "fill": false, - "line": true, - "op": "lt", - "value": 4500000000000, - "yaxis": "left" - } - ], - "pluginVersion": "8.2.1", - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": false, - "total": false, - "values": true - }, - "aliasColors": {}, - "dashLength": 10, - "decimals": 1, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "pointradius": 2, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_status", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "mean_uptime_ns" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "timeRegions": [], - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:192", - "format": "ns", - "label": null, - "logBase": 1, - "max": "604800000000000", - "min": null, - "show": true, - "decimals": 1 - }, - { - "$$hashKey": "object:193", - "decimals": 2, - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - }, - "interval": "30s", - "bars": false, - "dashes": false, - "fill": 0, - "fillGradient": 0, - "hiddenSeries": false, - "percentage": false, - "points": false, - "stack": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_capture_loss_graph.json.jinja b/salt/grafana/panels/zeek_capture_loss_graph.json.jinja deleted file mode 100644 index 53adcd7fa..000000000 --- a/salt/grafana/panels/zeek_capture_loss_graph.json.jinja +++ /dev/null @@ -1,203 +0,0 @@ -{ - "id": 71, - "gridPos": { - "x": {{ PANELS.zeek_capture_loss_graph.gridPos.x }}, - "y": {{ PANELS.zeek_capture_loss_graph.gridPos.y }}, - "w": {{ PANELS.zeek_capture_loss_graph.gridPos.w }}, - "h": {{ PANELS.zeek_capture_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Capture Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "auto", - "pointSize": 6, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "decimals": 1, - "min": 0 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: Loss Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "zeekcaptureloss", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "loss" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "$tag_host: Loss Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": true, - "measurement": "zeekcaptureloss", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_loss" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_packet_loss_graph.json.jinja b/salt/grafana/panels/zeek_packet_loss_graph.json.jinja deleted file mode 100644 index 7d2c8ae2b..000000000 --- a/salt/grafana/panels/zeek_packet_loss_graph.json.jinja +++ /dev/null @@ -1,244 +0,0 @@ -{ - "id": 2022, - "gridPos": { - "x": {{ PANELS.zeek_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.zeek_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.zeek_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.zeek_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Zeek Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - }, - "lineStyle": { - "fill": "solid" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.zeek_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_packet_loss_stat.json.jinja b/salt/grafana/panels/zeek_packet_loss_stat.json.jinja deleted file mode 100644 index 9d43f5a76..000000000 --- a/salt/grafana/panels/zeek_packet_loss_stat.json.jinja +++ /dev/null @@ -1,120 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:818", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.zeek_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.zeek_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.zeek_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.zeek_packet_loss_stat.gridPos.h }} - }, - "id": 2123, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Zeek Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "cacheTimeout": null, - "interval": null -} diff --git a/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja b/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja deleted file mode 100644 index 85dda1154..000000000 --- a/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja +++ /dev/null @@ -1,93 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 1 - } - ] - }, - "mappings": [] - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.x }}, - "y": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.y }}, - "w": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.w }}, - "h": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.h }} - }, - "id": 37, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "sum" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "healthcheck", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "zeek_restart" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Zeek Restarts via Healthcheck", - "type": "stat" -} diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml deleted file mode 100644 index a1b056544..000000000 --- a/salt/grafana/soc_grafana.yaml +++ /dev/null @@ -1,49 +0,0 @@ -grafana: - config: - smtp: - enabled: - description: Enable the sending of emails from Grafana. - global: True - helpLink: grafana.html - host: - description: Hostname of the SMTP server. - global: True - helpLink: grafana.html - user: - description: Username for the SMTP server. - global: True - helpLink: grafana.html - password: - description: Password for the SMTP server. - global: True - sensitive: True - helpLink: grafana.html - cert_file: - description: Location of cert file for the SMTP server. - global: True - helpLink: grafana.html - key_file: - description: Location of key file for the SMTP server. - global: True - helpLink: grafana.html - skip_verify: - description: Verify SSL certificates. - global: True - helpLink: grafana.html - from_address: - description: The email address you would like in the From field. - global: True - helpLink: grafana.html - from_name: - description: The name displayed for the From email address. - global: True - helpLink: grafana.html - ehlo_identity: - description: Used for servers with SMTP service extensions. - global: True - helpLink: grafana.html - enterprise: - license_path: - description: Path to enterprise license key. - global: True - helpLink: grafana.html diff --git a/salt/grafana/templates/cluster_name.json b/salt/grafana/templates/cluster_name.json deleted file mode 100644 index bf6dbfb3f..000000000 --- a/salt/grafana/templates/cluster_name.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.cluster_name.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.cluster_name.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"cluster_name\"", - "description": null, - "error": null, - "hide": {{ TEMPLATES.cluster_name.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.cluster_name.get('includeAll', true)| json }}, - "label": "Cluster Name", - "multi": {{ TEMPLATES.cluster_name.get('multi', true)| json }}, - "name": "cluster_name", - "options": [], - "query": "show tag values with key=\"cluster_name\"", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" -} diff --git a/salt/grafana/templates/containers.json b/salt/grafana/templates/containers.json deleted file mode 100644 index 955c5c8e3..000000000 --- a/salt/grafana/templates/containers.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SHOW TAG VALUES ON telegraf WITH KEY = container_name WHERE (_name = 'docker_container_cpu') AND ((host =~ /^$servername$/) AND (_tagKey = 'container_name'))", - "description": null, - "error": null, - "hide": 0, - "includeAll": true, - "label": "Docker Containers", - "multi": true, - "name": "containers", - "options": [], - "query": "SHOW TAG VALUES ON telegraf WITH KEY = container_name WHERE (_name = 'docker_container_cpu') AND ((host =~ /^$servername$/) AND (_tagKey = 'container_name'))", - "refresh": 1, - "regex": "/so-*/", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/cpucount.json b/salt/grafana/templates/cpucount.json deleted file mode 100644 index c41889565..000000000 --- a/salt/grafana/templates/cpucount.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "allValue": null, - "current": {}, - "datasource": "InfluxDB", - "definition": "SELECT last(\"n_cpus\") FROM \"system\" WHERE \"host\" =~ /^$servername$/", - "description": null, - "error": null, - "hide": 2, - "includeAll": false, - "label": "CPU Count", - "multi": false, - "name": "cpucount", - "options": [], - "query": "SELECT last(\"n_cpus\") FROM \"system\" WHERE \"host\" =~ /^$servername$/", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/disk.json b/salt/grafana/templates/disk.json deleted file mode 100644 index ac1b190af..000000000 --- a/salt/grafana/templates/disk.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": "InfluxDB", - "definition": "", - "description": null, - "error": null, - "hide": 0, - "includeAll": true, - "label": "Disk", - "multi": true, - "name": "disk", - "options": [], - "query": "SHOW TAG VALUES ON telegraf FROM \"diskio\" WITH KEY = \"name\" WHERE host =~ /$servername/", - "refresh": 1, - "regex": "[a-z]d[\\D]$|nvme[\\d]n[\\d]$", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": null, - "tags": [], - "tagsQuery": null, - "type": "query", - "useTags": false -} - - - - - - - - - - - diff --git a/salt/grafana/templates/manint.json b/salt/grafana/templates/manint.json deleted file mode 100644 index 22015d274..000000000 --- a/salt/grafana/templates/manint.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SELECT \"manint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "description": null, - "error": null, - "hide": 2, - "includeAll": true, - "label": "Management Interface", - "multi": true, - "name": "manint", - "options": [], - "query": "SELECT \"manint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/monint.json b/salt/grafana/templates/monint.json deleted file mode 100644 index 417ea8e62..000000000 --- a/salt/grafana/templates/monint.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SELECT \"monint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "description": null, - "error": null, - "hide": 2, - "includeAll": true, - "label": "Monitor Interface", - "multi": true, - "name": "monint", - "options": [], - "query": "SELECT \"monint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/role.json b/salt/grafana/templates/role.json deleted file mode 100644 index de51ff5d2..000000000 --- a/salt/grafana/templates/role.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.role.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.role.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"role\"", - "description": null, - "error": null, - "hide": {{ TEMPLATES.role.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.role.get('includeAll', true)| json }}, - "label": "Role", - "multi": {{ TEMPLATES.role.get('multi', true)| json }}, - "name": "role", - "options": [], - "query": "show tag values with key=\"role\"", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false -} diff --git a/salt/grafana/templates/searchnode.json b/salt/grafana/templates/searchnode.json deleted file mode 100644 index 57365cc57..000000000 --- a/salt/grafana/templates/searchnode.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.searchnode.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.searchnode.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"host\" WHERE (\"role\" =~ /search/) OR (\"role\" = 'heavynode') OR (\"role\" = 'standalone') OR (\"role\" = 'eval') ", - "description": null, - "error": null, - "hide": {{ TEMPLATES.searchnode.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.searchnode.get('includeAll', true)| json }}, - "label": "Searchnode", - "multi": {{ TEMPLATES.searchnode.get('multi', true)| json }}, - "name": "searchnode", - "options": [], - "query": "show tag values with key=\"host\" WHERE (\"role\" =~ /search/) OR (\"role\" = 'heavynode') OR (\"role\" = 'standalone') OR (\"role\" = 'eval') ", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" -} diff --git a/salt/grafana/templates/servername.json b/salt/grafana/templates/servername.json deleted file mode 100644 index aaa90acfc..000000000 --- a/salt/grafana/templates/servername.json +++ /dev/null @@ -1,34 +0,0 @@ -{% if DASHBOARD == 'overview' %} - {% set query = "show tag values with key=\\\"host\\\" WHERE (\\\"role\\\" =~ /^$role$/)" %} -{% else %} -{% set query = "show tag values with key=\\\"host\\\" WHERE (\\\"role\\\" = '" ~ DASHBOARD ~ "' )" %} -{% endif %} -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.servername.get('text', '')| json }}], - "value": [{{ TEMPLATES.servername.get('value', '')| json }}] - }, - "datasource": "InfluxDB", - "definition": "{{ query }}", - "description": "", - "error": null, - "hide": 0, - "includeAll": true, - "label": "Node", - "multi": true, - "name": "servername", - "options": [], - "query": "{{ query }}", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/influxdb/config.yaml.jinja b/salt/influxdb/config.yaml.jinja new file mode 100644 index 000000000..720c4967c --- /dev/null +++ b/salt/influxdb/config.yaml.jinja @@ -0,0 +1,4 @@ +{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %} +{%- set INFLUXMERGED = salt['pillar.get']('influxdb:config', default=INFLUXDEFAULTS.influxdb.config, merge=true) %} + +{{ INFLUXMERGED | yaml(false) }} \ No newline at end of file diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 299666023..72c436a41 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -1,158 +1,69 @@ influxdb: config: - meta: - dir: /var/lib/influxdb/meta - retention-autocreate: true - logging-enabled: true - data: - dir: /var/lib/influxdb/data - wal-dir: /var/lib/influxdb/wal - wal-fsync-delay: 0s - index-version: inmem - race-logging-enabled: false - query-log-enabled: true - validate-keys: false - cache-max-memory-size: 1g - cache-snapshot-memory-size: 25m - cache-snapshot-write-cold-duration: 10m - compact-full-write-cold-duration: 4h - max-concurrent-compactions: 0 - compact-throughput: 48m - compact-throughput-burst: 48m - max-index-log-file-size: 1m - max-series-per-database: 1000000 - max-values-per-tag: 100000 - tsm-use-madv-willneed: false - coordinator: - write-timeout: 10s - max-concurrent-queries: 0 - query-timeout: 0s - log-queries-after: 0s - max-select-point: 0 - max-select-series: 0 - max-select-buckets: 0 - retention: - enabled: true - check-interval: 30m - shard-precreation: - enabled: true - check-interval: 10m - advance-period: 30m - monitor: - store-enabled: true - store-database: _internal - store-interval: 10s - http: - enabled: true - flux-enabled: true - bind-address: ':8086' - auth-enabled: false - realm: InfluxDB - log-enabled: false - suppress-write-log: false - access-log-path: '' - access-log-status-filters: [] - write-tracing: false - pprof-enabled: true - debug-pprof-enabled: false - https-enabled: true - https-certificate: /etc/ssl/influxdb.crt - https-private-key: /etc/ssl/influxdb.key - shared-secret: '' - max-row-limit: 0 - max-connection-limit: 0 - unix-socket-enabled: false - bind-socket: /var/run/influxdb.sock - max-body-size: 25000000 - max-concurrent-write-limit: 0 - max-enqueued-write-limit: 0 - enqueued-write-timeout: 0 - logging: - format: auto - level: info - suppress-logo: false - subscriber: - enabled: true - http-timeout: 30s - insecure-skip-verify: false - ca-certs: '' - write-concurrency: 40 - write-buffer-size: 1000 - graphite: - enabled: false - database: graphite - retention-policy: '' - bind-address: ':2003' - protocol: tcp - consistency-level: one - batch-size: 5000 - batch-pending: 10 - batch-timeout: 1s - udp-read-buffer: 0 - separator: '.' - tags: [] - templates: [] - collectd: - enabled: false - bind-address: ':25826' - database: collectd - retention-policy: '' - typesdb: /usr/local/share/collectd - security-level: none - auth-file: /etc/collectd/auth_file - batch-size: 5000 - bath-pending: 10 - batch-timeout: 10s - read-buffer: 0 - parse-multivalue-plugin: split - opentsdb: - enabled: false - bind-address: ':4242' - database: opentsdb - retention-policy: '' - consistency-level: one - tls-enabled: false - certificate: /etc/ssl/influxdb.pem - log-point-errors: true - batch-size: 1000 - batch-pending: 5 - bath-timeout: 1s - udp: - enabled: false - bind-address: ':8089' - database: udp - retention-policy: '' - precision: '' - batch-size: 5000 - batch-pending: 10 - batch-timeout: 1s - read-buffer: 0 - continuous_queries: - enabled: true - log-enabled: true - query-stats-enabled: false - run-interval: 1s - tls: - ciphers: - - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_RSA_WITH_AES_128_CBC_SHA - - TLS_RSA_WITH_AES_128_CBC_SHA256 - - TLS_RSA_WITH_AES_128_GCM_SHA256 - - TLS_RSA_WITH_AES_256_CBC_SHA - - TLS_RSA_WITH_AES_256_GCM_SHA384 - min-version: tls1.2 - max-version: tls1.2 + bolt-path: /var/lib/influxdb2/influxd.bolt + engine-path: /var/lib/influxdb2/engine + feature-flags: + flux-log-enabled: false + hardening-enabled: true + http-bind-address: :8086 + http-idle-timeout: 0 + http-read-header-timeout: 10s + http-read-timeout: 0 + http-write-timeout: 0 + influxql-max-select-buckets: 0 + influxql-max-select-point: 0 + influxql-max-select-series: 0 + instance-id: + log-level: info + metrics-disabled: true + no-tasks: false + pprof-disabled: true + query-concurrency: 100 + query-initial-memory-bytes: 1073741824 + query-max-memory-bytes: 107374182400 + query-memory-bytes: 1073741824 + query-queue-size: 500 + reporting-disabled: true + secret-store: bolt + session-length: 60 + session-renew-disabled: false + sqlite-path: /var/lib/influxdb2/influxd.sqlite + storage-cache-max-memory-size: 1073741824 + storage-cache-snapshot-memory-size: 26214400 + storage-cache-snapshot-write-cold-duration: 10m0s + storage-compact-full-write-cold-duration: 4h0m0s + storage-compact-throughput-burst: 50331648 + storage-max-concurrent-compactions: 0 + storage-max-index-log-file-size: 1048576 + storage-no-validate-field-size: false + storage-retention-check-interval: 30m0s + storage-series-file-max-concurrent-snapshot-compactions: 0 + storage-series-id-set-cache-size: 100 + storage-shard-precreator-advance-period: 30m0s + storage-shard-precreator-check-interval: 10m0s + storage-tsm-use-madv-willneed: false + storage-validate-keys: false + storage-wal-fsync-delay: 0s + storage-wal-max-concurrent-writes: 0 + storage-wal-max-write-delay: 10m + storage-write-timeout: 10s + store: disk + tls-cert: /conf/influxdb.crt + tls-key: /conf/influxdb.key + tls-min-version: 1.2 + tls-strict-ciphers: true + tracing-type: log + ui-disabled: false + vault-addr: + vault-cacert: + vault-capath: + vault-client-cert: + vault-client-key: + vault-client-timeout: 60s + vault-max-retries: 2 + vault-skip-verify: false + vault-tls-server-name: + vault-token: retention_policies: so_short_term: default: True @@ -164,4 +75,4 @@ influxdb: shard_duration: 7d downsample: so_long_term: - resolution: 5m + resolution: 5m \ No newline at end of file diff --git a/salt/influxdb/etc/influxdb.conf.jinja b/salt/influxdb/etc/influxdb.conf.jinja deleted file mode 100644 index ce607292d..000000000 --- a/salt/influxdb/etc/influxdb.conf.jinja +++ /dev/null @@ -1,26 +0,0 @@ -{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %} -{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %} - -{%- for header in INFLUXMERGED.config.keys() %} -{%- if header in ['graphite', 'collectd', 'opentsdb', 'udp'] %} -[[{{header}}]] -{%- else %} -[{{header}}] -{%- endif %} -{%- for k, v in INFLUXMERGED.config[header].items() %} -{#- is v a list? #} -{%- if v is iterable and (v is not string and v is not mapping) %} - {{k}} = [ -{%- for li in v %} - "{{li}}", -{%- endfor %} - ] -{%- elif v is string %} - {{k}} = "{{v}}" -{%- elif v is boolean %} - {{k}} = {{v|string|lower}} -{%- else %} - {{k}} = {{v}} -{%- endif %} -{%- endfor %} -{%- endfor %} diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 4fe625209..ae98c908b 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -3,24 +3,19 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} +{% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} +{% set TOKEN = salt['pillar.get']('secrets:influx_token') %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} -{% import_yaml 'influxdb/defaults.yaml' as default_settings %} -{% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} -{% from 'salt/map.jinja' import PYTHON3INFLUX with context %} -{% from 'salt/map.jinja' import PYTHONINFLUXVERSION with context %} -{% set PYTHONINFLUXVERSIONINSTALLED = salt['cmd.run']("python3 -c \"exec('try:import influxdb; print (influxdb.__version__)\\nexcept:print(\\'Module Not Found\\')')\"", python_shell=True) %} include: - salt.minion - - salt.python3-influxdb - ssl # Influx DB influxconfdir: file.directory: - - name: /opt/so/conf/influxdb/etc + - name: /opt/so/conf/influxdb - makedirs: True influxlogdir: @@ -38,11 +33,11 @@ influxdbdir: influxdbconf: file.managed: - - name: /opt/so/conf/influxdb/etc/influxdb.conf + - name: /opt/so/conf/influxdb/config.yaml - user: 939 - group: 939 - template: jinja - - source: salt://influxdb/etc/influxdb.conf.jinja + - source: salt://influxdb/config.yaml.jinja so-influxdb: docker_container.running: @@ -52,13 +47,21 @@ so-influxdb: - sobridge: - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: + - INFLUXD_CONFIG_PATH=/conf - INFLUXDB_HTTP_LOG_ENABLED=false + - DOCKER_INFLUXDB_INIT_MODE=setup + - DOCKER_INFLUXDB_INIT_USERNAME=so + - DOCKER_INFLUXDB_INIT_PASSWORD={{ password }} + - DOCKER_INFLUXDB_INIT_ORG="Security Onion" + - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term + - DOCKER_INFLUXDB_INIT_RETENTION=30d + - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ token }} - binds: - /opt/so/log/influxdb/:/log:rw - - /opt/so/conf/influxdb/etc/influxdb.conf:/etc/influxdb/influxdb.conf:ro - - /nsm/influxdb:/var/lib/influxdb:rw - - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro - - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro + - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro + - /nsm/influxdb:/var/lib/influxdb2:rw + - /etc/pki/influxdb.crt:/conf/influxdb.crt:ro + - /etc/pki/influxdb.key:/conf/influxdb.key:ro - port_bindings: {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} - {{ BINDING }} @@ -86,75 +89,6 @@ get_influxdb_size: - month: '*' - dayweek: '*' -# We have to make sure the influxdb module is the right version prior to state run since reload_modules is bugged -{% if PYTHONINFLUXVERSIONINSTALLED == PYTHONINFLUXVERSION %} -wait_for_influxdb: - http.query: - - name: 'https://{{GLOBALS.manager}}:8086/query?q=SHOW+DATABASES' - - ssl: True - - verify_ssl: False - - status: 200 - - timeout: 10 - - retry: - attempts: 20 - interval: 5 - - require: - - docker_container: so-influxdb - -telegraf_database: - influxdb_database.present: - - name: telegraf - - database: telegraf - - ssl: True - - verify_ssl: /etc/pki/ca.crt - - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ GLOBALS.manager }} - - require: - - docker_container: so-influxdb - - sls: salt.python3-influxdb - - http: wait_for_influxdb - -{% for rp in influxdb.retention_policies.keys() %} -{{rp}}_retention_policy: - influxdb_retention_policy.present: - - name: {{rp}} - - database: telegraf - - duration: {{influxdb.retention_policies[rp].duration}} - - shard_duration: {{influxdb.retention_policies[rp].shard_duration}} - - replication: 1 - - default: {{influxdb.retention_policies[rp].get('default', 'False')}} - - ssl: True - - verify_ssl: /etc/pki/ca.crt - - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ GLOBALS.manager }} - - require: - - docker_container: so-influxdb - - influxdb_database: telegraf_database - - file: influxdb_retention_policy.present_patch - - sls: salt.python3-influxdb -{% endfor %} - -{% for dest_rp in influxdb.downsample.keys() %} - {% for measurement in influxdb.downsample[dest_rp].get('measurements', []) %} -so_downsample_{{measurement}}_cq: - influxdb_continuous_query.present: - - name: so_downsample_{{measurement}}_cq - - database: telegraf - - query: SELECT mean(*) INTO "{{dest_rp}}"."{{measurement}}" FROM "{{measurement}}" GROUP BY time({{influxdb.downsample[dest_rp].resolution}}),* - - ssl: True - - verify_ssl: /etc/pki/ca.crt - - cert: ['/etc/pki/influxdb.crt', '/etc/pki/influxdb.key'] - - influxdb_host: {{ GLOBALS.manager }} - - require: - - docker_container: so-influxdb - - influxdb_database: telegraf_database - - file: influxdb_continuous_query.present_patch - {% endfor %} -{% endfor %} - -{% endif %} -{% endif %} - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/influxdb/map.jinja b/salt/influxdb/map.jinja deleted file mode 100644 index a13d4c257..000000000 --- a/salt/influxdb/map.jinja +++ /dev/null @@ -1,9 +0,0 @@ -{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %} -{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} - -{% if measurements|length > 0 %} -{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%} -{% for measurement in measurements.splitlines() %} -{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%} -{% endfor %} -{% endif %} diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 4ef705191..54e6df09b 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,362 +1,350 @@ influxdb: config: - meta: - logging-enabled: - description: Enable InfluxDB meta server logging. - global: True - helpLink: influxdb.html - data: - wal-fsync-delay: - description: The amount of time that a write will wait before fsyncing. - global: True - helpLink: influxdb.html - index-version: - description: The type of shard index to use for new shards. - global: True - helpLink: influxdb.html - trace-logging-enabled: - description: Trace logging provides more verbose output around the tsm engine. - global: True - advanced: True - helpLink: influxdb.html - query-log-enabled: - description: Whether queries should be logged before execution. - global: True - helpLink: influxdb.html - validate-keys: - description: Validates incoming writes to ensure keys only have valid unicode characters. - global: True - advanced: True - helpLink: influxdb.html - cache-max-memory-size: - description: The maximum size a shard's cache can reach before it starts rejecting writes. - global: True - helpLink: influxdb.html - cache-snapshot-memory-size: - description: The size at which the engine will snapshot the cache and write it to a TSM file, freeing up memory. - global: True - advanced: True - helpLink: influxdb.html - cache-snapshot-write-cold-duration: - description: The length of time at which the engine will snapshot the cache and write it to a new TSM file if the shard hasn't received writes or deletes. - global: True - advanced: True - helpLink: influxdb.html - compact-full-write-cold-duration: - description: The duration at which the engine will compact all TSM files in a shard if it hasn't received a write or delete. - global: True - advanced: True - helpLink: influxdb.html - max-concurrent-compactions: - description: The maximum number of concurrent full and level compactions that can run at one time. - global: True - helpLink: influxdb.html - compact-throughput: - description: The rate limit in bytes per second that we will allow TSM compactions to write to disk. - global: True - advanced: True - helpLink: influxdb.html - compact-throughput-burst: - description: The rate limit in bytes per second that we will allow TSM compactions to write to disk. - global: True - advanced: True - helpLink: influxdb.html - max-index-log-file-size: - description: The threshold, in bytes, when an index write-ahead log file will compact into an index file. - global: True - advanced: True - helpLink: influxdb.html - max-series-per-database: - description: The maximum series allowed per database before writes are dropped. - global: True - advanced: True - helpLink: influxdb.html - max-values-per-tag: - description: The maximum number of tag values per tag that are allowed before writes are dropped. - global: True - advanced: True - helpLink: influxdb.html - tsm-use-madv-willneed: - description: If true, then the mmap advise value MADV_WILLNEED will be provided to the kernel with respect to TSM files. - global: True - advanced: True - helpLink: influxdb.html - coordinator: - write-timeout: - description: The default time a write request will wait until a "timeout" error is returned to the caller. - global: True - helpLink: influxdb.html - max-concurrent-queries: - description: The maximum number of concurrent queries allowed to be executing at one time. - global: True - helpLink: influxdb.html - query-timeout: - description: The maximum time a query will is allowed to execute before being killed by the system. - global: True - helpLink: influxdb.html - log-queries-after: - description: The time threshold when a query will be logged as a slow query. - global: True - helpLink: influxdb.html - max-select-point: - description: The maximum number of points a SELECT can process. - global: True - advanced: True - helpLink: influxdb.html - max-select-series: - description: The maximum number of series a SELECT can run. - global: True - advanced: True - helpLink: influxdb.html - max-select-buckets: - description: The maxium number of group by time bucket a SELECT can create. - global: True - advanced: True - helpLink: influxdb.html - retention: - enabled: - description: Determines whether retention policy enforcement enabled. - global: True - advanced: True - helpLink: influxdb.html - check-interval: - description: The interval of time when retention policy enforcement checks run. - global: True - helpLink: influxdb.html - shard-precreation: - enabled: - description: Determines whether shard pre-creation service is enabled. - global: True - advanced: True - helpLink: influxdb.html - check-interval: - description: The interval of time when the check to pre-create new shards runs. - global: True - helpLink: influxdb.html - advance-period: - description: The default period ahead of the endtime of a shard group that its successor group is created. - global: True - advanced: True - helpLink: influxdb.html - monitor: - store-enabled: - description: Whether to record statistics internally. - global: True - helpLink: influxdb.html - store-database: - description: The destination database for recorded statistics. - global: True - advanced: True - helpLink: influxdb.html - store-interval: - description: The interval at which to record statistics. - global: True - helpLink: influxdb.html - http: - enabled: - description: Determines whether HTTP endpoint is enabled. - global: True - advanced: True - helpLink: influxdb.html - flux-enabled: - description: Determines whether the Flux query endpoint is enabled. - global: True - advanced: True - helpLink: influxdb.html - bind-address: - description: The bind address used by the HTTP service. - global: True - advanced: True - helpLink: influxdb.html - auth-enabled: - description: Determines whether user authentication is enabled over HTTP/HTTPS. - global: True - advanced: True - helpLink: influxdb.html - realm: - description: The default realm sent back when issuing a basic auth challenge. - global: True - advanced: True - helpLink: influxdb.html - log-enabled: - description: Determines whether HTTP request logging is enabled. - global: True - helpLink: influxdb.html - suppress-write-log: - description: Determines whether the HTTP write request logs should be suppressed when the log is enabled. - global: True - helpLink: influxdb.html - access-log-path: - description: Path for http access logs. - global: True - advanced: True - helpLink: influxdb.html - access-log-status-filters: - description: Filters which requests should be logged. - global: True - advanced: True - helpLink: influxdb.html - write-tracing: - description: Determines whether detailed write logging is enabled. - global: True - advanced: True - helpLink: influxdb.html - pprof-enabled: - description: Determines whether the pprof endpoint is enabled. - global: True - advanced: True - helpLink: influxdb.html - debug-pprof-enabled: - description: Determines whether the pprof endpoint is enabled in debug mode. - global: True - advanced: True - helpLink: influxdb.html - https-enabled: - description: Determines whether HTTPS is enabled. - global: True - helpLink: influxdb.html - https-certificate: - description: The SSL certificate to use when HTTPS is enabled. - global: True - advanced: True - helpLink: influxdb.html - https-private-key: - description: Use a separate private key location. - global: True - advanced: True - helpLink: influxdb.html - shared-secret: - description: The JWT auth shared secret to validate requests using JSON web tokens. - global: True - advanced: True - helpLink: influxdb.html - max-row-limit: - description: The default chunk size for result sets that should be chunked. - global: True - helpLink: influxdb.html - max-connection-limit: - description: The maximum number of HTTP connections that may be open at once. - global: True - helpLink: influxdb.html - unix-socket-enabled: - description: Enable http service over unix domain socket. - global: True - advanced: True - helpLink: influxdb.html - bind-socket: - description: The path of the unix domain socket. - global: True - advanced: True - helpLink: influxdb.html - max-body-size: - description: The maximum size of a client request body, in bytes. - global: True - helpLink: influxdb.html - max-concurrent-write-limit: - description: The maximum number of writes processed concurrently. - global: True - helpLink: influxdb.html - max-enqueued-write-limit: - description: The maximum number of writes queued for processing. - global: True - helpLink: influxdb.html - enqueued-write-timeout: - description: The maximum duration for a write to wait in the queue to be processed. - global: True - helpLink: influxdb.html - logging: - format: - description: Determines which log encoder to use for logs. - global: True - helpLink: influxdb.html - level: - description: Determines which level of logs will be emitted. - global: True - helpLink: influxdb.html - suppress-logo: - description: Suppresses the logo output that is printed when the program is started. - global: True - helpLink: influxdb.html - subscriber: - enabled: - description: Determines whether the subscriber service is enabled. - global: True - advanced: True - helpLink: influxdb.html - http-timeout: - description: The default timeout for HTTP writes to subscribers. - global: True - helpLink: influxdb.html - insecure-skip-verify: - description: Allows insecure HTTPS connections to subscribers. - global: True - advanced: True - helpLink: influxdb.html - ca-certs: - description: The path to the PEM encoded CA certs file. - global: True - advanced: True - helpLink: influxdb.html - write-concurrency: - description: he number of writer goroutines processing the write channel. - global: True - helpLink: influxdb.html - write-buffer-size: - description: The number of in-flight writes buffered in the write channel. - global: True - helpLink: influxdb.html - continuous_queries: - enabled: - description: Determines whether the continuous query service is enabled. - global: True - helpLink: influxdb.html - log-enabled: - description: Controls whether queries are logged when executed by the CQ service. - global: True - helpLink: influxdb.html - query-stats-enabled: - description: Controls whether queries are logged to the self-monitoring data store. - global: True - helpLink: influxdb.html - run-interval: - description: Interval for how often continuous queries will be checked if they need to run. - global: True - helpLink: influxdb.html - tls: - ciphers: - description: Determines the available set of cipher suites. - global: True - helpLink: influxdb.html - min-version: - description: Minimum version of the tls protocol that will be negotiated. - global: True - helpLink: influxdb.html - max-version: - description: Maximum version of the tls protocol that will be negotiated. - global: True - helpLink: influxdb.html + bolt-path: /var/lib/influxdb2/influxd.bolt + description: Path to the bolt DB file located inside the so-influxdb container. + global: True + advanced: True + helpLink: influxdb.html + engine-path: /var/lib/influxdb2/engine + description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data. + global: True + advanced: True + helpLink: influxdb.html + feature-flags: + description: List of key=value flags to enable. + global: True + advanced: True + helpLink: influxdb.html + flux-log-enabled: false + description: Controls whether detailed flux query logging is enabled. + global: True + advanced: True + helpLink: influxdb.html + hardening-enabled: true + description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. + global: True + advanced: True + helpLink: influxdb.html + http-bind-address: :8086 + description: The URL and port on which InfluxDB will listen for new connections. + global: True + advanced: True + helpLink: influxdb.html + http-idle-timeout: 0 + description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced. + global: True + advanced: True + helpLink: influxdb.html + http-read-header-timeout: 10s + description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced. + global: True + advanced: True + helpLink: influxdb.html + http-read-timeout: 0 + description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced. + global: True + advanced: True + helpLink: influxdb.html + http-write-timeout: 0 + description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced. + global: True + advanced: True + helpLink: influxdb.html + influxql-max-select-buckets: 0 + description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited. + global: True + advanced: True + helpLink: influxdb.html + influxql-max-select-point: 0 + description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited. + global: True + advanced: True + helpLink: influxdb.html + influxql-max-select-series: 0 + description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited. + global: True + advanced: True + helpLink: influxdb.html + instance-id: + description: Unique instance ID for this server, to avoid collisions in a replicated cluster. + global: True + advanced: True + helpLink: influxdb.html + log-level: info + description: The log level to use for outputting log statements. Allowed values are debug, info, or error. + global: True + advanced: false + regex: ^(info|debug|error)$ + helpLink: influxdb.html + metrics-disabled: true + description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. + global: True + advanced: True + helpLink: influxdb.html + no-tasks: false + description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. + global: True + advanced: True + helpLink: influxdb.html + pprof-disabled: true + description: If true, the profiling data HTTP endpoint will be inaccessible. + global: True + advanced: True + helpLink: influxdb.html + query-concurrency: 100 + description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited. + global: True + advanced: True + helpLink: influxdb.html + query-initial-memory-bytes: 1073741824 + description: The initial number of bytes of memory to allocate for a new query. + global: True + advanced: True + helpLink: influxdb.html + query-max-memory-bytes: 107374182400 + description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries. + global: True + advanced: True + helpLink: influxdb.html + query-memory-bytes: 1073741824 + description: Maximum number of bytes of memory to allocate to a query. + global: True + advanced: True + helpLink: influxdb.html + query-queue-size: 500 + description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited. + global: True + advanced: True + helpLink: influxdb.html + reporting-disabled: true + description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. + global: True + advanced: True + helpLink: influxdb.html + secret-store: bolt + description: Determines the type of storage used for secrets. Allowed values are bolt or vault. + global: True + advanced: True + regex: ^(bolt|vault)$ + helpLink: influxdb.html + session-length: 60 + description: Number of minutes that a user login session can remain authenticated. + global: True + advanced: True + helpLink: influxdb.html + session-renew-disabled: false + description: If true, user login sessions will renew after each request. + global: True + advanced: True + helpLink: influxdb.html + sqlite-path: /var/lib/influxdb2/influxd.sqlite + description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database. + global: True + advanced: True + helpLink: influxdb.html + storage-cache-max-memory-size: 1073741824 + description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected. + global: True + advanced: True + helpLink: influxdb.html + storage-cache-snapshot-memory-size: 26214400 + description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory. + global: True + advanced: True + helpLink: influxdb.html + storage-cache-snapshot-write-cold-duration: 10m0s + description: Duration between snapshot writes to disk when the shard data hasn't been modified. + global: True + advanced: True + helpLink: influxdb.html + storage-compact-full-write-cold-duration: 4h0m0s + description: Duration between shard compactions when the shard data hasn't been modified. + global: True + advanced: True + helpLink: influxdb.html + storage-compact-throughput-burst: 50331648 + description: Maximum throughput (number of bytes per second) that compactions be written to disk. + global: True + advanced: True + helpLink: influxdb.html + storage-max-concurrent-compactions: 0 + description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs). + global: True + advanced: True + helpLink: influxdb.html + storage-max-index-log-file-size: 1048576 + description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk. + global: True + advanced: True + helpLink: influxdb.html + storage-no-validate-field-size: false + description: If true, incoming requests will skip the field size validation. + global: True + advanced: True + helpLink: influxdb.html + storage-retention-check-interval: 30m0s + description: Interval between reviewing each bucket's retention policy and the age of the associated data. + global: True + advanced: True + helpLink: influxdb.html + storage-series-file-max-concurrent-snapshot-compactions: 0 + description: Maximum number of concurrent snapshot compactions across all database partitions. + global: True + advanced: True + helpLink: influxdb.html + storage-series-id-set-cache-size: 100 + description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups. + global: True + advanced: True + helpLink: influxdb.html + storage-shard-precreator-advance-period: 30m0s + description: The duration before a successor shard group is created after the end-time has been reached. + global: True + advanced: True + helpLink: influxdb.html + storage-shard-precreator-check-interval: 10m0s + description: Interval between checking if new shards should be created. + global: True + advanced: True + helpLink: influxdb.html + storage-tsm-use-madv-willneed: false + description: If true, InfluxDB will manage TSM memory paging. + global: True + advanced: True + helpLink: influxdb.html + storage-validate-keys: false + description: If true, validates incoming requests for supported characters. + global: True + advanced: True + helpLink: influxdb.html + storage-wal-fsync-delay: 0s + description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks. + global: True + advanced: True + helpLink: influxdb.html + storage-wal-max-concurrent-writes: 0 + description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2. + global: True + advanced: True + helpLink: influxdb.html + storage-wal-max-write-delay: 10m + description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout. + global: True + advanced: True + helpLink: influxdb.html + storage-write-timeout: 10s + description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting. + global: True + advanced: True + helpLink: influxdb.html + store: disk + description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations. + global: True + advanced: True + regex: ^(disk|memory)$ + helpLink: influxdb.html + tls-cert: /conf/influxdb.crt + description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses. + global: True + advanced: True + helpLink: influxdb.html + tls-key: /conf/influxdb.key + description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses. + global: True + advanced: True + helpLink: influxdb.html + tls-min-version: 1.2 + description: The minimum supported version of TLS to be enforced on all incoming HTTP requests. + global: True + advanced: True + helpLink: influxdb.html + tls-strict-ciphers: true + description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. + global: True + advanced: True + helpLink: influxdb.html + tracing-type: log + description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing. + global: True + advanced: True + helpLink: influxdb.html + ui-disabled: false + description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. + global: True + advanced: True + helpLink: influxdb.html + vault-addr: + description: Vault server address. + global: True + advanced: True + helpLink: influxdb.html + vault-cacert: + description: Path to the Vault's single certificate authority certificate file within the container. + global: True + advanced: True + helpLink: influxdb.html + vault-capath: + description: Path to the Vault's certificate authority directory within the container. + global: True + advanced: True + helpLink: influxdb.html + vault-client-cert: + description: Vault client certificate path within the container. + global: True + advanced: True + helpLink: influxdb.html + vault-client-key: + description: Vault client certificate key path within the container. + global: True + advanced: True + helpLink: influxdb.html + vault-client-timeout: 60s + description: Duration to wait for a response from the Vault server before aborting. + global: True + advanced: True + helpLink: influxdb.html + vault-max-retries: 2 + description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries. + global: True + advanced: True + helpLink: influxdb.html + vault-skip-verify: false + description: Skip certification validation of the Vault server. + global: True + advanced: True + helpLink: influxdb.html + vault-tls-server-name: + description: SNI host to specify when using TLS to connect to the Vault server. + global: True + advanced: True + helpLink: influxdb.html + vault-token: + description: Vault token used for authentication. + global: True + advanced: True + helpLink: influxdb.html retention_policies: so_short_term: duration: description: Amount of time to keep short term data. global: True - helpLink: grafana.html#data + helpLink: influxdb.html shard_duration: description: Time range global: True - helpLink: grafana.html#data + helpLink: influxdb.html so_long_term: duration: description: Amount of time to keep long term downsampled data. global: True - helpLink: grafana.html#data + helpLink: influxdb.html shard_duration: description: Amount of the time range covered by the shard group. global: True - helpLink: grafana.html#data + helpLink: influxdb.html downsample: so_long_term: resolution: description: Amount of time to turn into a single data point. global: True - helpLink: grafana.html#data \ No newline at end of file + helpLink: influxdb.html \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index d09325f0e..52d3613a3 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,5 +1,9 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- set role = grains.id.split('_') | last %} + +{%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} +{%- set influxauth = 'so:' + influxpass | base64 %} + worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; @@ -179,13 +183,14 @@ http { autoindex_localtime on; } - location /grafana/ { + location /influxdb/ { auth_request /auth/sessions/whoami; - rewrite /grafana/(.*) /$1 break; - proxy_pass http://{{ GLOBALS.manager_ip }}:3000/; + rewrite /influxdb/(.*) /$1 break; + proxy_pass http://{{ GLOBALS.manager_ip }}:8086/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; + proxy_set_header Authorization "Basic {{ influxauth }}"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index d340b1f68..b83b94493 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1076,11 +1076,11 @@ soc: icon: fa-external-link-alt target: so-osquery-manager link: /kibana/app/osquery/live_queries - - name: toolGrafana - description: toolGrafanaHelp + - name: toolInfluxDb + description: toolInfluxDbHelp icon: fa-external-link-alt - target: so-grafana - link: /grafana/d/so_overview + target: so-influxdb + link: /influxdb - name: toolCyberchef description: toolCyberchefHelp icon: fa-external-link-alt diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 1944aab41..4ae7ce38e 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -27,11 +27,6 @@ {% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %} -{% if pillar.manager.grafana == 0 %} -{% do SOCMERGED.server.client.inactiveTools.append('toolGrafana') %} -{% endif %} - - {% set standard_actions = SOCMERGED.pop('actions') %} {% if pillar.global.endgamehost is defined %} {% set endgame_dict = { diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index df5e78f32..e5574e7d1 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -53,7 +53,7 @@ tgrafconf: TGMERGED: {{ TGMERGED }} # this file will be read by telegraf to send node details (management interface, monitor interface, etc) -# into influx so that Grafana can build dashboards using queries +# into influx node_config: file.managed: - name: /opt/so/conf/telegraf/node_config.json diff --git a/salt/top.sls b/salt/top.sls index 4b8531f4d..5745b02db 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -80,7 +80,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -128,7 +127,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -174,7 +172,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -245,7 +242,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index ee55c5317..f9d2e7cdc 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index a3b7ffc3b..897014f3a 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser # ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index 3e6e46c6d..7f6565595 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-cloud-manager b/setup/automation/distributed-cloud-manager index 721fb7e13..baaf4a11c 100644 --- a/setup/automation/distributed-cloud-manager +++ b/setup/automation/distributed-cloud-manager @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-cloud-search b/setup/automation/distributed-cloud-search index dc6c2f97f..42c6b5726 100644 --- a/setup/automation/distributed-cloud-search +++ b/setup/automation/distributed-cloud-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser #ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -#GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-cloud-sensor b/setup/automation/distributed-cloud-sensor index 56156e516..bb7f8716f 100644 --- a/setup/automation/distributed-cloud-sensor +++ b/setup/automation/distributed-cloud-sensor @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -#GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager index 32de661e7..c601d3283 100644 --- a/setup/automation/distributed-iso-manager +++ b/setup/automation/distributed-iso-manager @@ -21,7 +21,6 @@ BASICSURI=7 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index 095436788..87165c053 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser # ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 11a78b9c8..6762488f7 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager index 32de661e7..c601d3283 100644 --- a/setup/automation/distributed-net-centos-manager +++ b/setup/automation/distributed-net-centos-manager @@ -21,7 +21,6 @@ BASICSURI=7 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search index ab67e11d8..8a3fb7784 100644 --- a/setup/automation/distributed-net-centos-search +++ b/setup/automation/distributed-net-centos-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser # ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor index b3f0d01d4..4b38ff510 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-centos-sensor @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager index 339f651ae..4cc4f65d9 100644 --- a/setup/automation/distributed-net-ubuntu-manager +++ b/setup/automation/distributed-net-ubuntu-manager @@ -21,7 +21,6 @@ BASICSURI=7 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search index 398432647..0ad135e1a 100644 --- a/setup/automation/distributed-net-ubuntu-search +++ b/setup/automation/distributed-net-ubuntu-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser # ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor index d25bf0080..c69ec3200 100644 --- a/setup/automation/distributed-net-ubuntu-sensor +++ b/setup/automation/distributed-net-ubuntu-sensor @@ -21,7 +21,6 @@ BNICS=ens19 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-ubuntu-suricata-manager index 614d12c6f..1285eb6ba 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-ubuntu-suricata-manager @@ -21,7 +21,6 @@ BASICSURI=7 ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search index 138b273c4..bc1956e52 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -21,7 +21,6 @@ ADMINPASS2=onionuser # ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index 58fb922a3..f54fd19a3 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -21,7 +21,6 @@ BNICS=ens19 ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index 595d21a32..45235ccda 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/eval-cloud b/setup/automation/eval-cloud index 997d7e53b..8a18cb78c 100644 --- a/setup/automation/eval-cloud +++ b/setup/automation/eval-cloud @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index 5c41e1b12..a0bddf54f 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index b56b45a52..9ecab5ee0 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu index 24c68896a..1f16bb336 100644 --- a/setup/automation/eval-net-ubuntu +++ b/setup/automation/eval-net-ubuntu @@ -21,7 +21,6 @@ BNICS=ens19 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index d1d153177..1e3fdb70a 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/import-cloud b/setup/automation/import-cloud index 684e487fd..e12b00863 100644 --- a/setup/automation/import-cloud +++ b/setup/automation/import-cloud @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 7ad671b37..ad111cff6 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index cfeef5cb4..a18400148 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index e6fcc2b6b..82240f4f6 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -21,7 +21,6 @@ BASICSURI=2 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -# GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index 44be7b270..2c0a5af0f 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-cloud b/setup/automation/standalone-cloud index 66c123362..01b3120fb 100644 --- a/setup/automation/standalone-cloud +++ b/setup/automation/standalone-cloud @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index 11eac77b9..ea0f7ddb5 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-iso-logscan b/setup/automation/standalone-iso-logscan index 9249fa4ed..9e5f29602 100644 --- a/setup/automation/standalone-iso-logscan +++ b/setup/automation/standalone-iso-logscan @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata index e14049a34..625930a07 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-iso-suricata @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos index 0b36e600a..4179ac39c 100644 --- a/setup/automation/standalone-net-centos +++ b/setup/automation/standalone-net-centos @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy index b22fc4b74..ffabf5ebd 100644 --- a/setup/automation/standalone-net-centos-proxy +++ b/setup/automation/standalone-net-centos-proxy @@ -21,7 +21,6 @@ BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu index 9c62dda04..ad17ec756 100644 --- a/setup/automation/standalone-net-ubuntu +++ b/setup/automation/standalone-net-ubuntu @@ -21,7 +21,6 @@ BNICS=ens19 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC -GRAFANA=1 # HELIXAPIKEY= HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit diff --git a/setup/so-functions b/setup/so-functions index e15c7a191..b62c257b7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1213,7 +1213,8 @@ generate_passwords(){ PLAYBOOKDBPASS=$(get_random_value) PLAYBOOKADMINPASS=$(get_random_value) PLAYBOOKAUTOMATIONPASS=$(get_random_value) - GRAFANAPASS=$(get_random_value) + INFLUXPASS=$(get_random_value) + INFLUXTOKEN=$(head -c 64 /dev/urandom | base64) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) @@ -1365,10 +1366,8 @@ manager_pillar() { touch $adv_manager_pillar_file title "Create the manager pillar" if [[ $is_import ]]; then - GRAFANA=0 PLAYBOOK=0 else - GRAFANA=1 PLAYBOOK=1 fi printf '%s\n'\ @@ -1376,7 +1375,6 @@ manager_pillar() { " proxy: '$so_proxy'"\ " no_proxy: '$no_proxy_string'"\ " elastalert: 1"\ - " grafana: $GRAFANA"\ " playbook: $PLAYBOOK"\ "" > "$manager_pillar_file" } @@ -2056,7 +2054,8 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ - " grafana_admin: $GRAFANAPASS" > $local_salt_dir/pillar/secrets.sls + " influx_pass: $INFLUXPASS"\ + " influx_token: $INFLUXTOKEN" > $local_salt_dir/pillar/secrets.sls fi } From a1ac1785d340ec2597a418697a3bab6c536d2eef Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 13:40:27 -0500 Subject: [PATCH 043/470] upgrade influx --- .../sbin/so-grafana-dashboard-folder-delete | 20 +++++++++++++++++++ salt/common/tools/sbin/so-grafana-restart | 12 +++++++++++ salt/common/tools/sbin/so-grafana-start | 12 +++++++++++ salt/common/tools/sbin/so-grafana-stop | 12 +++++++++++ salt/influxdb/map.jinja | 9 +++++++++ 5 files changed, 65 insertions(+) create mode 100644 salt/common/tools/sbin/so-grafana-dashboard-folder-delete create mode 100644 salt/common/tools/sbin/so-grafana-restart create mode 100644 salt/common/tools/sbin/so-grafana-start create mode 100644 salt/common/tools/sbin/so-grafana-stop create mode 100644 salt/influxdb/map.jinja diff --git a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete b/salt/common/tools/sbin/so-grafana-dashboard-folder-delete new file mode 100644 index 000000000..0783fccea --- /dev/null +++ b/salt/common/tools/sbin/so-grafana-dashboard-folder-delete @@ -0,0 +1,20 @@ +# this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70 + +# Exit if an error occurs. The next highstate will retry. +set -e + +folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64') +delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode") + +for row in $folders; do + title=$(echo ${row} | base64 --decode | jq -r '.title') + uid=$(echo ${row} | base64 --decode | jq -r '.uid') + + if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then + curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid + fi +done + +echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete + +exit 0 diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart new file mode 100644 index 000000000..f8fbcb9c1 --- /dev/null +++ b/salt/common/tools/sbin/so-grafana-restart @@ -0,0 +1,12 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +/usr/sbin/so-restart grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start new file mode 100644 index 000000000..dfea3b8dc --- /dev/null +++ b/salt/common/tools/sbin/so-grafana-start @@ -0,0 +1,12 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +/usr/sbin/so-start grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop new file mode 100644 index 000000000..62552f17f --- /dev/null +++ b/salt/common/tools/sbin/so-grafana-stop @@ -0,0 +1,12 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +. /usr/sbin/so-common + +/usr/sbin/so-stop grafana $1 diff --git a/salt/influxdb/map.jinja b/salt/influxdb/map.jinja new file mode 100644 index 000000000..a13d4c257 --- /dev/null +++ b/salt/influxdb/map.jinja @@ -0,0 +1,9 @@ +{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %} +{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} + +{% if measurements|length > 0 %} +{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%} +{% for measurement in measurements.splitlines() %} +{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%} +{% endfor %} +{% endif %} From 51674b3a5bc25909b3d27e4a3b4350eae9016275 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 13:50:32 -0500 Subject: [PATCH 044/470] upgrade influx --- .../sbin/so-grafana-dashboard-folder-delete | 20 ------------------- salt/common/tools/sbin/so-grafana-restart | 12 ----------- salt/common/tools/sbin/so-grafana-start | 12 ----------- salt/common/tools/sbin/so-grafana-stop | 12 ----------- 4 files changed, 56 deletions(-) delete mode 100644 salt/common/tools/sbin/so-grafana-dashboard-folder-delete delete mode 100644 salt/common/tools/sbin/so-grafana-restart delete mode 100644 salt/common/tools/sbin/so-grafana-start delete mode 100644 salt/common/tools/sbin/so-grafana-stop diff --git a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete b/salt/common/tools/sbin/so-grafana-dashboard-folder-delete deleted file mode 100644 index 0783fccea..000000000 --- a/salt/common/tools/sbin/so-grafana-dashboard-folder-delete +++ /dev/null @@ -1,20 +0,0 @@ -# this script is used to delete the default Grafana dashboard folders that existed prior to Grafana dashboard and Salt management changes in 2.3.70 - -# Exit if an error occurs. The next highstate will retry. -set -e - -folders=$(curl -X GET http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders | jq -r '.[] | @base64') -delfolder=("Manager" "Manager Search" "Sensor Nodes" "Search Nodes" "Standalone" "Eval Mode") - -for row in $folders; do - title=$(echo ${row} | base64 --decode | jq -r '.title') - uid=$(echo ${row} | base64 --decode | jq -r '.uid') - - if [[ " ${delfolder[@]} " =~ " ${title} " ]]; then - curl -X DELETE http://admin:{{salt['pillar.get']('secrets:grafana_admin')}}@localhost:3000/api/folders/$uid - fi -done - -echo "so-grafana-dashboard-folder-delete has been run to delete default Grafana dashboard folders that existed prior to 2.3.70" > /opt/so/state/so-grafana-dashboard-folder-delete-complete - -exit 0 diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart deleted file mode 100644 index f8fbcb9c1..000000000 --- a/salt/common/tools/sbin/so-grafana-restart +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-restart grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start deleted file mode 100644 index dfea3b8dc..000000000 --- a/salt/common/tools/sbin/so-grafana-start +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-start grafana $1 diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop deleted file mode 100644 index 62552f17f..000000000 --- a/salt/common/tools/sbin/so-grafana-stop +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-stop grafana $1 From 44e60f1e57f7d607c952c840828943858c818a7f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 14:03:27 -0500 Subject: [PATCH 045/470] upgrade influx --- salt/influxdb/templates/container.json | 1 + salt/influxdb/templates/host.json | 1 + salt/influxdb/templates/role.json | 1 + salt/influxdb/templates/security_onion_performance.json | 1 + 4 files changed, 4 insertions(+) create mode 100644 salt/influxdb/templates/container.json create mode 100644 salt/influxdb/templates/host.json create mode 100644 salt/influxdb/templates/role.json create mode 100644 salt/influxdb/templates/security_onion_performance.json diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/container.json new file mode 100644 index 000000000..77ff20bde --- /dev/null +++ b/salt/influxdb/templates/container.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] diff --git a/salt/influxdb/templates/host.json b/salt/influxdb/templates/host.json new file mode 100644 index 000000000..adfdf884f --- /dev/null +++ b/salt/influxdb/templates/host.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] diff --git a/salt/influxdb/templates/role.json b/salt/influxdb/templates/role.json new file mode 100644 index 000000000..72b48bdd7 --- /dev/null +++ b/salt/influxdb/templates/role.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] diff --git a/salt/influxdb/templates/security_onion_performance.json b/salt/influxdb/templates/security_onion_performance.json new file mode 100644 index 000000000..9baa33b8d --- /dev/null +++ b/salt/influxdb/templates/security_onion_performance.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IOWait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":30},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Monitor Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":95},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":85},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"viridian","type":"text","hex":"#32B08C"},{"id":"SpQHOj76fJwL4uNUdgA_L","name":"pineapple","type":"text","hex":"#FFB94A","value":85},{"id":"FALp969me_9GTrRtLYaab","name":"ruby","type":"text","hex":"#BF3D5E","value":95}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"RootFS Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"name":"Security Onion Performance"}}] From 67c8f6ba69cf67e8fccfe5e1fe084587c5106e11 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 14:25:36 -0500 Subject: [PATCH 046/470] avoid cr/lr --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 31405a2d8..8dbd920f6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1214,7 +1214,7 @@ generate_passwords(){ PLAYBOOKADMINPASS=$(get_random_value) PLAYBOOKAUTOMATIONPASS=$(get_random_value) INFLUXPASS=$(get_random_value) - INFLUXTOKEN=$(head -c 64 /dev/urandom | base64) + INFLUXTOKEN=$(head -c 64 /dev/urandom | base64 -wrap=0) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) From 2fddcc1e9948d2690622f05debbba36f7b2dfaea Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 14:57:57 -0500 Subject: [PATCH 047/470] upgrade influx --- salt/influxdb/init.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index ae98c908b..bdc14c5f8 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -3,11 +3,10 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} {% set TOKEN = salt['pillar.get']('secrets:influx_token') %} -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} - include: - salt.minion - ssl @@ -89,6 +88,8 @@ get_influxdb_size: - month: '*' - dayweek: '*' +{% endif %} + {% else %} {{sls}}_state_not_allowed: From 22eaeb14621021b0605b1dc04efb92f28d93c01b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 15:00:44 -0500 Subject: [PATCH 048/470] upgrade influx --- salt/influxdb/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index bdc14c5f8..2fbf88d3a 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -50,11 +50,11 @@ so-influxdb: - INFLUXDB_HTTP_LOG_ENABLED=false - DOCKER_INFLUXDB_INIT_MODE=setup - DOCKER_INFLUXDB_INIT_USERNAME=so - - DOCKER_INFLUXDB_INIT_PASSWORD={{ password }} + - DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }} - DOCKER_INFLUXDB_INIT_ORG="Security Onion" - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_RETENTION=30d - - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ token }} + - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - binds: - /opt/so/log/influxdb/:/log:rw - /opt/so/conf/influxdb/config.yaml:/conf/config.yaml:ro From 713e9ee215484bbb857a52fd6cafa5ec8ed02b84 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 20:10:41 +0000 Subject: [PATCH 049/470] Create initial template for ILM policy load script --- .../sbin/so-elasticsearch-ilm-policy-load | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-load diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load new file mode 100644 index 000000000..2780ab59e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -0,0 +1,19 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +# Set up ILM policies +echo +echo "Setting up default Security Onion index lifecycle management policies..." + +# Zeek logs +echo +echo "Setting up Zeek ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }' +echo From abbc92a58d6cd839459f3d20a07c0e43f3181a2c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 15:14:46 -0500 Subject: [PATCH 050/470] upgrade influx --- VERSION | 2 +- setup/so-functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 197c4d5c2..7f2e97617 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0 +2.4.0-kilo diff --git a/setup/so-functions b/setup/so-functions index 8dbd920f6..34bbe0610 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1214,7 +1214,7 @@ generate_passwords(){ PLAYBOOKADMINPASS=$(get_random_value) PLAYBOOKAUTOMATIONPASS=$(get_random_value) INFLUXPASS=$(get_random_value) - INFLUXTOKEN=$(head -c 64 /dev/urandom | base64 -wrap=0) + INFLUXTOKEN=$(head -c 64 /dev/urandom | base64 --wrap=0) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) From c43e69ad931718e44f454c6efac777ca84434f4b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 15:57:14 -0500 Subject: [PATCH 051/470] influx upgrade --- salt/nginx/etc/nginx.conf | 2 +- salt/nginx/init.sls | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 52d3613a3..d72052a01 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -2,7 +2,7 @@ {%- set role = grains.id.split('_') | last %} {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} -{%- set influxauth = 'so:' + influxpass | base64 %} +{%- set influxauth = ('so:' + influxpass) | base64_encode %} worker_processes auto; error_log /var/log/nginx/error.log; diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index eac0e9ac8..d6839814f 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -28,6 +28,7 @@ nginxconf: - group: 939 - template: jinja - source: salt://nginx/etc/nginx.conf + - show_changes: False nginxlogdir: file.directory: From d6d01f8542aa50d37b03a01b87604995a5d63417 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:01:02 +0000 Subject: [PATCH 052/470] Add initial ILM policy view script --- .../tools/sbin/so-elasticsearch-ilm-policy-view | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-view diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view new file mode 100644 index 000000000..d69e328fe --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/policy/$1 | jq .[] +fi From 8ff0cf21cdf82df0530c2e806db1cd6fe5a8d9fb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 16:03:10 -0500 Subject: [PATCH 053/470] influx upgrade --- salt/influxdb/soc_influxdb.yaml | 110 ++++++++++++++++---------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index 54e6df09b..ef6519471 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,11 +1,11 @@ influxdb: config: - bolt-path: /var/lib/influxdb2/influxd.bolt + bolt-path: description: Path to the bolt DB file located inside the so-influxdb container. global: True advanced: True helpLink: influxdb.html - engine-path: /var/lib/influxdb2/engine + engine-path: description: Path to the engine directory located inside the so-influxdb container. This directory stores the time series data. global: True advanced: True @@ -15,52 +15,52 @@ influxdb: global: True advanced: True helpLink: influxdb.html - flux-log-enabled: false + flux-log-enabled: description: Controls whether detailed flux query logging is enabled. global: True advanced: True helpLink: influxdb.html - hardening-enabled: true + hardening-enabled: description: If true, enforces outbound connections from the InfluxDB process must never attempt to reach an internal, private network address. global: True advanced: True helpLink: influxdb.html - http-bind-address: :8086 + http-bind-address: description: The URL and port on which InfluxDB will listen for new connections. global: True advanced: True helpLink: influxdb.html - http-idle-timeout: 0 + http-idle-timeout: description: Keep-alive timeout while a connection waits for new requests. A value of 0 is the same as no timeout enforced. global: True advanced: True helpLink: influxdb.html - http-read-header-timeout: 10s + http-read-header-timeout: description: The duration to wait for a request header before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True helpLink: influxdb.html - http-read-timeout: 0 + http-read-timeout: description: The duration to wait for the request to be fully read before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True helpLink: influxdb.html - http-write-timeout: 0 + http-write-timeout: description: The duration to wait for the response to be fully written before closing the connection. A value of 0 is the same as no timeout enforced. global: True advanced: True helpLink: influxdb.html - influxql-max-select-buckets: 0 + influxql-max-select-buckets: description: Maximum number of group-by clauses in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True helpLink: influxdb.html - influxql-max-select-point: 0 + influxql-max-select-point: description: Maximum number of points that can be queried in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True helpLink: influxdb.html - influxql-max-select-series: 0 + influxql-max-select-series: description: Maximum number of series that can be returned in a SELECT statement. A value of 0 is the same as unlimited. global: True advanced: True @@ -70,205 +70,205 @@ influxdb: global: True advanced: True helpLink: influxdb.html - log-level: info + log-level: description: The log level to use for outputting log statements. Allowed values are debug, info, or error. global: True advanced: false regex: ^(info|debug|error)$ helpLink: influxdb.html - metrics-disabled: true + metrics-disabled: description: If true, the HTTP endpoint that exposes internal InfluxDB metrics will be inaccessible. global: True advanced: True helpLink: influxdb.html - no-tasks: false + no-tasks: description: If true, the task system will not process any queued tasks. Useful for troubleshooting startup problems. global: True advanced: True helpLink: influxdb.html - pprof-disabled: true + pprof-disabled: description: If true, the profiling data HTTP endpoint will be inaccessible. global: True advanced: True helpLink: influxdb.html - query-concurrency: 100 + query-concurrency: description: Maximum number of queries to execute concurrently. A value of 0 is the same as unlimited. global: True advanced: True helpLink: influxdb.html - query-initial-memory-bytes: 1073741824 + query-initial-memory-bytes: description: The initial number of bytes of memory to allocate for a new query. global: True advanced: True helpLink: influxdb.html - query-max-memory-bytes: 107374182400 + query-max-memory-bytes: description: The number of bytes of memory to allocate to all running queries. Should typically be the query bytes times the max concurrent queries. global: True advanced: True helpLink: influxdb.html - query-memory-bytes: 1073741824 + query-memory-bytes: description: Maximum number of bytes of memory to allocate to a query. global: True advanced: True helpLink: influxdb.html - query-queue-size: 500 + query-queue-size: description: Maximum number of queries that can be queued at one time. If this value is reached, new queries will not be queued. A value of 0 is the same as unlimited. global: True advanced: True helpLink: influxdb.html - reporting-disabled: true + reporting-disabled: description: If true, prevents InfluxDB from sending telemetry updates to InfluxData's servers. global: True advanced: True helpLink: influxdb.html - secret-store: bolt + secret-store: description: Determines the type of storage used for secrets. Allowed values are bolt or vault. global: True advanced: True regex: ^(bolt|vault)$ helpLink: influxdb.html - session-length: 60 + session-length: description: Number of minutes that a user login session can remain authenticated. global: True advanced: True helpLink: influxdb.html - session-renew-disabled: false + session-renew-disabled: description: If true, user login sessions will renew after each request. global: True advanced: True helpLink: influxdb.html - sqlite-path: /var/lib/influxdb2/influxd.sqlite + sqlite-path: description: Path to the Sqlite3 database inside the container. This database stored user data and other information about the database. global: True advanced: True helpLink: influxdb.html - storage-cache-max-memory-size: 1073741824 + storage-cache-max-memory-size: description: Maximum number of bytes to allocate to cache data per shard. If exceeded, new data writes will be rejected. global: True advanced: True helpLink: influxdb.html - storage-cache-snapshot-memory-size: 26214400 + storage-cache-snapshot-memory-size: description: Number of bytes to allocate to cache snapshot data. When the cache reaches this size, it will be written to disk to increase available memory. global: True advanced: True helpLink: influxdb.html - storage-cache-snapshot-write-cold-duration: 10m0s + storage-cache-snapshot-write-cold-duration: description: Duration between snapshot writes to disk when the shard data hasn't been modified. global: True advanced: True helpLink: influxdb.html - storage-compact-full-write-cold-duration: 4h0m0s + storage-compact-full-write-cold-duration: description: Duration between shard compactions when the shard data hasn't been modified. global: True advanced: True helpLink: influxdb.html - storage-compact-throughput-burst: 50331648 + storage-compact-throughput-burst: description: Maximum throughput (number of bytes per second) that compactions be written to disk. global: True advanced: True helpLink: influxdb.html - storage-max-concurrent-compactions: 0 + storage-max-concurrent-compactions: description: Maximum number of concurrent compactions. A value of 0 is the same as half the available CPU processors (procs). global: True advanced: True helpLink: influxdb.html - storage-max-index-log-file-size: 1048576 + storage-max-index-log-file-size: description: Maximum number of bytes of a write-ahead log (WAL) file before it will be compacted into an index on disk. global: True advanced: True helpLink: influxdb.html - storage-no-validate-field-size: false + storage-no-validate-field-size: description: If true, incoming requests will skip the field size validation. global: True advanced: True helpLink: influxdb.html - storage-retention-check-interval: 30m0s + storage-retention-check-interval: description: Interval between reviewing each bucket's retention policy and the age of the associated data. global: True advanced: True helpLink: influxdb.html - storage-series-file-max-concurrent-snapshot-compactions: 0 + storage-series-file-max-concurrent-snapshot-compactions: description: Maximum number of concurrent snapshot compactions across all database partitions. global: True advanced: True helpLink: influxdb.html - storage-series-id-set-cache-size: 100 + storage-series-id-set-cache-size: description: Maximum size of the series cache results. Higher values may increase performance for repeated data lookups. global: True advanced: True helpLink: influxdb.html - storage-shard-precreator-advance-period: 30m0s + storage-shard-precreator-advance-period: description: The duration before a successor shard group is created after the end-time has been reached. global: True advanced: True helpLink: influxdb.html - storage-shard-precreator-check-interval: 10m0s + storage-shard-precreator-check-interval: description: Interval between checking if new shards should be created. global: True advanced: True helpLink: influxdb.html - storage-tsm-use-madv-willneed: false + storage-tsm-use-madv-willneed: description: If true, InfluxDB will manage TSM memory paging. global: True advanced: True helpLink: influxdb.html - storage-validate-keys: false + storage-validate-keys: description: If true, validates incoming requests for supported characters. global: True advanced: True helpLink: influxdb.html - storage-wal-fsync-delay: 0s + storage-wal-fsync-delay: description: Duration to wait before calling fsync. Useful for handling conflicts on slower disks. global: True advanced: True helpLink: influxdb.html - storage-wal-max-concurrent-writes: 0 + storage-wal-max-concurrent-writes: description: Maximum number of concurrent write-ahead log (WAL) writes to disk. The value of 0 is the same as CPU processors (procs) x 2. global: True advanced: True helpLink: influxdb.html - storage-wal-max-write-delay: 10m + storage-wal-max-write-delay: description: Maximum duration to wait before writing the write-ahead log (WAL) to disk, when the concurrency limit has been exceeded. A value of 0 is the same as no timeout. global: True advanced: True helpLink: influxdb.html - storage-write-timeout: 10s + storage-write-timeout: description: Maximum time to wait for a write-ahead log (WAL) to write to disk before aborting. global: True advanced: True helpLink: influxdb.html - store: disk + store: description: The type of data store to use for HTTP resources. Allowed values are disk or memory. Memory should not be used for production Security Onion installations. global: True advanced: True regex: ^(disk|memory)$ helpLink: influxdb.html - tls-cert: /conf/influxdb.crt + tls-cert: description: The container path to the certificate to use for TLS encryption of the HTTP requests and responses. global: True advanced: True helpLink: influxdb.html - tls-key: /conf/influxdb.key + tls-key: description: The container path to the certificate key to use for TLS encryption of the HTTP requests and responses. global: True advanced: True helpLink: influxdb.html - tls-min-version: 1.2 + tls-min-version: description: The minimum supported version of TLS to be enforced on all incoming HTTP requests. global: True advanced: True helpLink: influxdb.html - tls-strict-ciphers: true + tls-strict-ciphers: description: If true, the allowed ciphers used with TLS connections are ECDHE_RSA_WITH_AES_256_GCM_SHA384, ECDHE_RSA_WITH_AES_256_CBC_SHA, RSA_WITH_AES_256_GCM_SHA384, or RSA_WITH_AES_256_CBC_SHA. global: True advanced: True helpLink: influxdb.html - tracing-type: log + tracing-type: description: The tracing format for debugging purposes. Allowed values are log or jaeger, or leave blank to disable tracing. global: True advanced: True helpLink: influxdb.html - ui-disabled: false + ui-disabled: description: If true, the InfluxDB HTTP user interface will be disabled. This will prevent use of the included InfluxDB dashboard visualizations. global: True advanced: True @@ -298,17 +298,17 @@ influxdb: global: True advanced: True helpLink: influxdb.html - vault-client-timeout: 60s + vault-client-timeout: description: Duration to wait for a response from the Vault server before aborting. global: True advanced: True helpLink: influxdb.html - vault-max-retries: 2 + vault-max-retries: description: Maximum number of retries when attempting to contact the Vault server. A value of 0 is the same as disabling retries. global: True advanced: True helpLink: influxdb.html - vault-skip-verify: false + vault-skip-verify: description: Skip certification validation of the Vault server. global: True advanced: True From 80270550867d4f166c619b6d07cd8958425b38b9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:09:42 +0000 Subject: [PATCH 054/470] Add initial ILM policy delete script --- .../tools/sbin/so-elasticsearch-ilm-policy-delete | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete new file mode 100644 index 000000000..108dd1178 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete @@ -0,0 +1,11 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X DELETE https://{{ NODEIP }}:9200/_ilm/policy/$1 From b38f4ca7661edb58d1dc815633d5a7dc03eee111 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:16 +0000 Subject: [PATCH 055/470] Add initial ILM service stop script --- salt/common/tools/sbin/so-elasticsaerch-ilm-stop | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-stop diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop new file mode 100644 index 000000000..23c068918 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-stop @@ -0,0 +1,12 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Stopping ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/stop From 03849b0659f994c39a07791e4a9179c3e9fa42b8 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:29:38 +0000 Subject: [PATCH 056/470] Add initial ILM service start script --- salt/common/tools/sbin/so-elasticsaerch-ilm-start | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsaerch-ilm-start new file mode 100644 index 000000000..98dd38e9e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-start @@ -0,0 +1,12 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +echo "Starting ILM..." +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -X POST https://{{ NODEIP }}:9200/_ilm/start From 1de3871ee9fd148cb54aa88d631a06c940b2d75c Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:30:25 +0000 Subject: [PATCH 057/470] Add initial ILM service restart script --- salt/common/tools/sbin/so-elasticsaerch-ilm-restart | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsaerch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart new file mode 100644 index 000000000..7f422ed6e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsaerch-ilm-restart @@ -0,0 +1,10 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +so-elasticsearch-ilm-stop +so-elasticsearch-ilm-start From 3e31bda2854a54767e633640353857c699b8872d Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:32:17 +0000 Subject: [PATCH 058/470] Fix typo in Elasticsearch portion of script names --- ...{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} | 0 .../{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} | 0 .../sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-restart => so-elasticsearch-ilm-restart} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-start => so-elasticsearch-ilm-start} (100%) rename salt/common/tools/sbin/{so-elasticsaerch-ilm-stop => so-elasticsearch-ilm-stop} (100%) diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-restart b/salt/common/tools/sbin/so-elasticsearch-ilm-restart similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-restart rename to salt/common/tools/sbin/so-elasticsearch-ilm-restart diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-start b/salt/common/tools/sbin/so-elasticsearch-ilm-start similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-start rename to salt/common/tools/sbin/so-elasticsearch-ilm-start diff --git a/salt/common/tools/sbin/so-elasticsaerch-ilm-stop b/salt/common/tools/sbin/so-elasticsearch-ilm-stop similarity index 100% rename from salt/common/tools/sbin/so-elasticsaerch-ilm-stop rename to salt/common/tools/sbin/so-elasticsearch-ilm-stop From 91d24d36f9a4f15fe91cb408042417f2514b9c28 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:15 +0000 Subject: [PATCH 059/470] Add initial ILM lifecycle status explanation script --- .../tools/sbin/so-elasticsearch-ilm-explain | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-explain diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-explain new file mode 100644 index 000000000..db31dcb0f --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-explain @@ -0,0 +1,15 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +if [ "$1" == "" ]; then + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_all/_ilm/explain | jq . +else + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/$1/_ilm/explain | jq .[] +fi From 1d6c03feb1a9cc0535f8c221c2d6fc600c9ff7a2 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:34:39 +0000 Subject: [PATCH 060/470] Rename initial ILM lifecycle status explanation script --- ...icsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-elasticsearch-ilm-explain => so-elasticsearch-ilm-lifecycle-status} (100%) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-explain b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status similarity index 100% rename from salt/common/tools/sbin/so-elasticsearch-ilm-explain rename to salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status From b319b50fa17d49059e082aec4085d2c31ec635e9 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 8 Feb 2023 21:39:33 +0000 Subject: [PATCH 061/470] Add initial ILM status script --- salt/common/tools/sbin/so-elasticsearch-ilm-status | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 salt/common/tools/sbin/so-elasticsearch-ilm-status diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-status b/salt/common/tools/sbin/so-elasticsearch-ilm-status new file mode 100644 index 000000000..8d78adc5b --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-status @@ -0,0 +1,11 @@ +/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ilm/status | jq . From 8a00521092895ab35b40913c36d2c589d3c1a3e6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 8 Feb 2023 17:19:20 -0500 Subject: [PATCH 062/470] ensure node_data is populated with self if logstash:nodes data doesnt exist, ie import node --- salt/logstash/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 5f0a7ea79..553144b45 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% set REDIS_NODES = [] %} {% set LOGSTASH_NODES = [] %} -{% set node_data = salt['pillar.get']('logstash:nodes') %} +{% set node_data = salt['pillar.get']('logstash:nodes', {GLOBALS.role.split('-')[1]: {GLOBALS.hostname: {'ip': GLOBALS.node_ip}}}) %} {% for node_type, node_details in node_data.items() | sort %} {% if GLOBALS.role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} From 849e53e1ebb68ad825ba40f8262b341088c18af2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 17:40:27 -0500 Subject: [PATCH 063/470] upgrade influx --- salt/influxdb/defaults.yaml | 20 ++++++++++---------- salt/nginx/etc/nginx.conf | 2 +- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 72c436a41..64b7d394b 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -2,7 +2,7 @@ influxdb: config: bolt-path: /var/lib/influxdb2/influxd.bolt engine-path: /var/lib/influxdb2/engine - feature-flags: + feature-flags: "" flux-log-enabled: false hardening-enabled: true http-bind-address: :8086 @@ -13,7 +13,7 @@ influxdb: influxql-max-select-buckets: 0 influxql-max-select-point: 0 influxql-max-select-series: 0 - instance-id: + instance-id: "" log-level: info metrics-disabled: true no-tasks: false @@ -52,18 +52,18 @@ influxdb: tls-key: /conf/influxdb.key tls-min-version: 1.2 tls-strict-ciphers: true - tracing-type: log + tracing-type: "" ui-disabled: false - vault-addr: - vault-cacert: - vault-capath: - vault-client-cert: - vault-client-key: + vault-addr: "" + vault-cacert: "" + vault-capath: "" + vault-client-cert: "" + vault-client-key: "" vault-client-timeout: 60s vault-max-retries: 2 vault-skip-verify: false - vault-tls-server-name: - vault-token: + vault-tls-server-name: "" + vault-token: "" retention_policies: so_short_term: default: True diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index d72052a01..391033766 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -186,7 +186,7 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; rewrite /influxdb/(.*) /$1 break; - proxy_pass http://{{ GLOBALS.manager_ip }}:8086/; + proxy_pass https://{{ GLOBALS.manager_ip }}:8086/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; From 28eee48a7cac69fb95f7b482078572d2e31d175e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Feb 2023 20:38:29 -0500 Subject: [PATCH 064/470] influx upgrade --- salt/influxdb/defaults.yaml | 1 + salt/influxdb/soc_influxdb.yaml | 5 +++++ salt/nginx/etc/nginx.conf | 1 - 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 64b7d394b..82e59db90 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -1,5 +1,6 @@ influxdb: config: + assets-path: /ui bolt-path: /var/lib/influxdb2/influxd.bolt engine-path: /var/lib/influxdb2/engine feature-flags: "" diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index ef6519471..cbef9db85 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -1,5 +1,10 @@ influxdb: config: + assets-path: + description: Path to the InfluxDB user interface assets located inside the so-influxdb container. + global: True + advanced: True + helpLink: influxdb.html bolt-path: description: Path to the bolt DB file located inside the so-influxdb container. global: True diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 391033766..5822170ea 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -185,7 +185,6 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; - rewrite /influxdb/(.*) /$1 break; proxy_pass https://{{ GLOBALS.manager_ip }}:8086/; proxy_read_timeout 90; proxy_connect_timeout 90; From 613793ad9b1100fbcaf9f4dd69516851fc062e59 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 9 Feb 2023 09:32:04 -0500 Subject: [PATCH 065/470] Temporarily use Elasticsearch output for Standalone installations --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 217d69036..9c25dde55 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs -{% if grains.role == 'so-import' %} +{% if grains.role in ['so-import', 'so-standalone'] %} # Add SO-Manager Elasticsearch Ouput ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ From b744dc0641665a58adf3a5c0de5c00cd23ada75e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 9 Feb 2023 09:35:29 -0500 Subject: [PATCH 066/470] Add so-eval to list of modes using the Elasticsearch output for Elastic Agent and Fleet --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c25dde55..b82890faa 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs -{% if grains.role in ['so-import', 'so-standalone'] %} +{% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %} # Add SO-Manager Elasticsearch Ouput ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ From bb6fc8da19ed48f94436459daab81391c6f15262 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 9 Feb 2023 15:51:58 +0000 Subject: [PATCH 067/470] Add policy templates for other logs --- .../sbin/so-elasticsearch-ilm-policy-load | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 2780ab59e..78766953b 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -12,8 +12,62 @@ echo echo "Setting up default Security Onion index lifecycle management policies..." +# Elasticsearch logs +echo +echo "Setting up Elasticsearch ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Import logs +echo +echo "Setting up Import ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-import-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Kibana logs +echo +echo "Setting up Kratos ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kibana-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Kratos logs +echo +echo "Setting up Kratos ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kratos-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Logstash logs +echo +echo "Setting up Logstash ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-logstash-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Redis logs +echo +echo "Setting up Redis ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-redis-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Strelka logs +echo +echo "Setting up Strelka ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-strelka-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Suricata logs +echo +echo "Setting up Suricata ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-suricata-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + +# Syslog logs +echo +echo "Setting up Syslog ILM policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-syslog-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +echo + # Zeek logs echo echo "Setting up Zeek ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "1gb", "max_age": "30d" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo From ee7f299e6d2859a471afd025621cae1160b2846a Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 9 Feb 2023 15:56:36 +0000 Subject: [PATCH 068/470] Fix typo - 'Kratos' to 'Kibana' --- salt/common/tools/sbin/so-elasticsearch-ilm-policy-load | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 78766953b..09cc6dc08 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -15,7 +15,7 @@ echo "Setting up default Security Onion index lifecycle management policies..." # Elasticsearch logs echo echo "Setting up Elasticsearch ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo # Import logs @@ -26,7 +26,7 @@ echo # Kibana logs echo -echo "Setting up Kratos ILM policy..." +echo "Setting up Kibana ILM policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kibana-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' echo From 0e50d36da60d3aeabb5cffa779daa90262456cd3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Feb 2023 16:18:04 -0500 Subject: [PATCH 069/470] upgrade influx --- salt/common/tools/sbin/so-influxdb-user | 95 +++++++++++++++++++++++++ salt/common/tools/sbin/so-user | 5 ++ salt/nginx/etc/nginx.conf | 4 +- salt/telegraf/etc/telegraf.conf | 6 +- 4 files changed, 107 insertions(+), 3 deletions(-) create mode 100644 salt/common/tools/sbin/so-influxdb-user diff --git a/salt/common/tools/sbin/so-influxdb-user b/salt/common/tools/sbin/so-influxdb-user new file mode 100644 index 000000000..9b9e5e57b --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-user @@ -0,0 +1,95 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +usage() { + echo "Usage: $0 " + echo "" + echo "Supported Operations:" + echo " add Adds a new user" + echo " delete Removes an existing user" + echo " enable Enables a user" + echo " disable Disables a user" + echo " password Updates a user's password" + echo "" + echo "If required, the password will be read from STDIN." + exit 1 +} + +if [ $# -ne 2 ]; then + usage +fi + +KIND=InfluxDB +OP=$1 +USER_EMAIL=$2 +TOKEN=$(lookup_pillar_secret influx_token) + +log() { + echo -e "$@" +} + +read_password() { + # Read password for new user from stdin + test -t 0 + if [[ $? == 0 ]]; then + echo "Enter new password:" + fi + read -rs USER_PASS + + check_password_and_exit "$USER_PASS" +} + +check_response() { + response=$1 + if [[ "$response" =~ "\"code\":" ]]; then + log "Failed. Check the response for more details.\n$response" + fi +} + +set -eo pipefail + +if [[ "$OP" == "add" ]]; then + log "Creating new $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$USER_EMAIL\"}" -H "Authorization: Token $TOKEN") + check_response "$response" + OP=password +fi + +response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $TOKEN") +check_response "$response" +USER_ID=$(echo "$response" | jq -r ".users[] | select(.name == \"$USER_EMAIL\").id") +if [[ -z "$USER_ID" ]]; then + log "$KIND user not found" + exit 1 +fi + +if [[ "$OP" == "password" ]]; then + read_password + log "Updating $KIND user password" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID/password -X POST -d "{\"password\":\"$USER_PASS\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "delete" ]]; then + log "Deleting $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X DELETE -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "enable" ]]; then + log "Enabling $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"active\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi + +if [[ "$OP" == "disable" ]]; then + log "Disabling $KIND user" + response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"inactive\"}" -H "Authorization: Token $TOKEN") + check_response "$response" +fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 1e69ee82b..46feef640 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -588,6 +588,7 @@ case "${operation}" in syncAll echo "Successfully added new user to SOC" check_container fleet && echo "$password" | so-fleet-user-add "$email" + echo "$password" | so-influxdb-user add "$email" ;; "list") @@ -628,6 +629,7 @@ case "${operation}" in updateUserPassword "$email" syncAll echo "Successfully updated user password" + echo "$password" | so-influxdb-user password "$email" ;; "profile") @@ -648,6 +650,7 @@ case "${operation}" in syncAll echo "Successfully enabled user" echo "Fleet user will need to be recreated manually with so-fleet-user-add" + so-influxdb-user enable "$email" ;; "disable") @@ -659,6 +662,7 @@ case "${operation}" in syncAll echo "Successfully disabled user" check_container fleet && so-fleet-user-delete "$email" + so-influxdb-user disable "$email" ;; "delete") @@ -670,6 +674,7 @@ case "${operation}" in syncAll echo "Successfully deleted user" check_container fleet && so-fleet-user-delete "$email" + so-influxdb-user delete "$email" ;; "sync") diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 5822170ea..8dce92b75 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -185,11 +185,11 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; + rewrite /influxdb/api/(.*) /api/$1 break; proxy_pass https://{{ GLOBALS.manager_ip }}:8086/; - proxy_read_timeout 90; + proxy_read_timeout 300; proxy_connect_timeout 90; proxy_set_header Host $host; - proxy_set_header Authorization "Basic {{ influxauth }}"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 0c3957a89..b6298a637 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -2,6 +2,7 @@ {%- set INFLUXDBHOST = GLOBALS.influxdb_host %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %} {%- set NODEIP = GLOBALS.node_ip %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} @@ -71,8 +72,11 @@ ############################################################################### # Configuration for sending metrics to InfluxDB -[[outputs.influxdb]] +[[outputs.influxdb_v2]] urls = ["https://{{ INFLUXDBHOST }}:8086"] + token = "$TOKEN" + organization = "Security Onion" + bucket = "telegraf/so_short_term" ## Optional TLS Config for use on HTTP connections. tls_ca = "/etc/telegraf/ca.crt" From 0eec8b22a228494896b03e5919ceba2ff6c349a2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Feb 2023 18:27:14 -0500 Subject: [PATCH 070/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-user | 4 ++++ salt/influxdb/init.sls | 2 +- salt/nginx/etc/nginx.conf | 1 + salt/telegraf/etc/telegraf.conf | 2 +- 4 files changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-influxdb-user b/salt/common/tools/sbin/so-influxdb-user index 9b9e5e57b..ae0d42ebf 100644 --- a/salt/common/tools/sbin/so-influxdb-user +++ b/salt/common/tools/sbin/so-influxdb-user @@ -36,10 +36,12 @@ log() { read_password() { # Read password for new user from stdin + set +e test -t 0 if [[ $? == 0 ]]; then echo "Enter new password:" fi + set -e read -rs USER_PASS check_password_and_exit "$USER_PASS" @@ -49,6 +51,7 @@ check_response() { response=$1 if [[ "$response" =~ "\"code\":" ]]; then log "Failed. Check the response for more details.\n$response" + exit 1 fi } @@ -61,6 +64,7 @@ if [[ "$OP" == "add" ]]; then OP=password fi +log "Looking up user ID" response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $TOKEN") check_response "$response" USER_ID=$(echo "$response" | jq -r ".users[] | select(.name == \"$USER_EMAIL\").id") diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 2fbf88d3a..a3a59db70 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -51,7 +51,7 @@ so-influxdb: - DOCKER_INFLUXDB_INIT_MODE=setup - DOCKER_INFLUXDB_INIT_USERNAME=so - DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }} - - DOCKER_INFLUXDB_INIT_ORG="Security Onion" + - DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - DOCKER_INFLUXDB_INIT_RETENTION=30d - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 8dce92b75..1dc73d030 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -194,6 +194,7 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; + proxy_cookie_path /api/ /influxdb/api/; } location /kibana/ { diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index b6298a637..61843da5f 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -74,7 +74,7 @@ # Configuration for sending metrics to InfluxDB [[outputs.influxdb_v2]] urls = ["https://{{ INFLUXDBHOST }}:8086"] - token = "$TOKEN" + token = "{{ TOKEN }}" organization = "Security Onion" bucket = "telegraf/so_short_term" From e77813a1735f5ad88128b2700a80bf0118c225cf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Feb 2023 19:14:58 -0500 Subject: [PATCH 071/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-user | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-influxdb-user b/salt/common/tools/sbin/so-influxdb-user index ae0d42ebf..90cf84e25 100644 --- a/salt/common/tools/sbin/so-influxdb-user +++ b/salt/common/tools/sbin/so-influxdb-user @@ -61,7 +61,6 @@ if [[ "$OP" == "add" ]]; then log "Creating new $KIND user" response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$USER_EMAIL\"}" -H "Authorization: Token $TOKEN") check_response "$response" - OP=password fi log "Looking up user ID" @@ -73,6 +72,22 @@ if [[ -z "$USER_ID" ]]; then exit 1 fi +log "Looking up organization ID" +response=$(curl -sk https://localhost:8086/api/v2/orgs?limit=100 -H "Authorization: Token $TOKEN") +check_response "$response" +ORG_ID=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") +if [[ -z "$ORG_ID" ]]; then + log "$KIND organization not found" + exit 1 +fi + +if [[ "$OP" == "add" ]]; then + log "Adding new $KIND user to organization" + response=$(curl -sk https://localhost:8086/api/v2/orgs/$ORG_ID/members -X POST -d "{\"id\":\"$USER_ID\"}" -H "Authorization: Token $TOKEN") + check_response "$response" + OP=password +fi + if [[ "$OP" == "password" ]]; then read_password log "Updating $KIND user password" From 7b7461ef01dab712d0d81607b140a0205de39722 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 14:59:29 +0000 Subject: [PATCH 072/470] Dynamically load index management lifecycle policies based on pillar values --- .../sbin/so-elasticsearch-ilm-policy-load | 70 +++---------------- 1 file changed, 9 insertions(+), 61 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 09cc6dc08..0b8110cad 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -1,4 +1,4 @@ -#/bin/bash +/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the @@ -6,68 +6,16 @@ . /usr/sbin/so-common +{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} +{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %} {%- set NODEIP = salt['pillar.get']('host:mainip', '') %} -# Set up ILM policies +{%- for index, settings in ES_INDEX_SETTINGS.items() %} + {%- if settings.policy is defined %} echo -echo "Setting up default Security Onion index lifecycle management policies..." - -# Elasticsearch logs +echo "Setting up {{ index }}-logs policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }' echo -echo "Setting up Elasticsearch ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/elasticsearch-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Import logs -echo -echo "Setting up Import ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-import-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Kibana logs -echo -echo "Setting up Kibana ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kibana-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Kratos logs -echo -echo "Setting up Kratos ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-kratos-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Logstash logs -echo -echo "Setting up Logstash ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-logstash-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Redis logs -echo -echo "Setting up Redis ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-redis-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Strelka logs -echo -echo "Setting up Strelka ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-strelka-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Suricata logs -echo -echo "Setting up Suricata ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-suricata-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Syslog logs -echo -echo "Setting up Syslog ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-syslog-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' -echo - -# Zeek logs -echo -echo "Setting up Zeek ILM policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/so-zeek-logs" -H 'Content-Type: application/json' -d'{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 }, "rollover": { "max_primary_shard_size": "50gb", "max_age": "30d" } } } } } }' + {%- endif %} +{%- endfor %} echo From d17cf89c686ed5e8f213d4beb50133147316ffa6 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 15:01:09 +0000 Subject: [PATCH 073/470] Fix Bash shebang --- salt/common/tools/sbin/so-elasticsearch-ilm-policy-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index 0b8110cad..dda521736 100644 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -1,4 +1,4 @@ -/bin/bash +#/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the From c9118699a99e4c459674fb16cee83235b2abfbe7 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 15:10:30 +0000 Subject: [PATCH 074/470] Add index management lifecycle policy defintion and reference in index template --- salt/elasticsearch/defaults.yaml | 202 +++++++++++++++++++++++++++++++ 1 file changed, 202 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3d1182255..a0c431881 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1430,6 +1430,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-elasticsearch-logs mapping: total_fields: limit: 5000 @@ -1498,6 +1500,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-endgame: index_sorting: False index_template: @@ -2183,6 +2204,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-suricata-logs mapping: total_fields: limit: 5000 @@ -2251,6 +2274,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-imperva: index_sorting: False index_template: @@ -2351,6 +2393,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-import-logs mapping: total_fields: limit: 5000 @@ -2419,6 +2463,25 @@ elasticsearch: - common-dynamic-mappings - winlog-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-infoblox: index_sorting: False index_template: @@ -2671,6 +2734,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-kratos: warm: 7 close: 30 @@ -2754,6 +2836,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-logstash: index_sorting: False index_template: @@ -2770,6 +2871,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-logstash-logs mapping: total_fields: limit: 5000 @@ -2838,6 +2941,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-microsoft: index_sorting: False index_template: @@ -3691,6 +3813,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-redis-logs mapping: total_fields: limit: 5000 @@ -3759,6 +3883,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-snort: index_sorting: False index_template: @@ -4262,6 +4405,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-syslog: index_sorting: False index_template: @@ -4347,6 +4509,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-tomcat: index_sorting: False index_template: @@ -4447,6 +4628,8 @@ elasticsearch: date_detection: false settings: index: + lifecycle: + name: so-zeek-logs mapping: total_fields: limit: 5000 @@ -4517,6 +4700,25 @@ elasticsearch: - common-settings - common-dynamic-mappings priority: 500 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} so-zscaler: index_sorting: False index_template: From 1d0e09bdf7b986dbfe27cada6fc6ddf752827026 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 15:26:46 +0000 Subject: [PATCH 075/470] Ensure Elastic utility scripts have the correct permissions --- salt/common/tools/sbin/so-elastic-fleet-agent-policy-view | 0 .../tools/sbin/so-elastic-fleet-integration-policy-bulk-delete | 0 salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status | 0 salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete | 0 salt/common/tools/sbin/so-elasticsearch-ilm-policy-load | 0 salt/common/tools/sbin/so-elasticsearch-ilm-policy-view | 0 salt/common/tools/sbin/so-elasticsearch-ilm-restart | 0 salt/common/tools/sbin/so-elasticsearch-ilm-start | 0 salt/common/tools/sbin/so-elasticsearch-ilm-status | 0 salt/common/tools/sbin/so-elasticsearch-ilm-stop | 0 10 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-fleet-agent-policy-view mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-policy-load mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-policy-view mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-restart mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-start mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-status mode change 100644 => 100755 salt/common/tools/sbin/so-elasticsearch-ilm-stop diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-restart b/salt/common/tools/sbin/so-elasticsearch-ilm-restart old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-start b/salt/common/tools/sbin/so-elasticsearch-ilm-start old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-status b/salt/common/tools/sbin/so-elasticsearch-ilm-status old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-stop b/salt/common/tools/sbin/so-elasticsearch-ilm-stop old mode 100644 new mode 100755 From 994eabae1b4fabc35208d152682225e5ea8e6609 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 18:57:19 +0000 Subject: [PATCH 076/470] Manage policy loading in Elasticsearch state --- salt/elasticsearch/init.sls | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 43e8d9f72..b9caa2e89 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -53,9 +53,19 @@ es_sync_scripts: - source: salt://elasticsearch/tools/sbin - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state + - so-elasticsearch-ilm-policy-load - defaults: GLOBALS: {{ GLOBALS }} +so-elasticsearch-ilm-policy-load-script: + file.managed: + - name: /usr/sbin/so-elasticsearch-ilm-policy-load + - source: salt://elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load + - user: 930 + - group: 939 + - mode: 754 + - template: jinja + so-elasticsearch-pipelines-script: file.managed: - name: /usr/sbin/so-elasticsearch-pipelines @@ -362,6 +372,16 @@ so-es-cluster-settings: - docker_container: so-elasticsearch - file: es_sync_scripts +so-elasticsearch-ilm-policy-load: + cmd.run: + - name: /usr/sbin/so-elasticsearch-ilm-policy-load + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + - file: so-elasticsearch-ilm-policy-load-script + - onchanges: + - file: so-elasticsearch-ilm-policy-load-script + so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates-load From 1255c6031746df6a444ff59df319b3982152514c Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 10 Feb 2023 18:59:45 +0000 Subject: [PATCH 077/470] Move policy load script into Elasticsearch state script directory --- .../sbin/so-elasticsearch-ilm-policy-load | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load new file mode 100755 index 000000000..dda521736 --- /dev/null +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load @@ -0,0 +1,21 @@ +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} +{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ESCONFIG.elasticsearch.index_settings, merge=True) %} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} + +{%- for index, settings in ES_INDEX_SETTINGS.items() %} + {%- if settings.policy is defined %} +echo +echo "Setting up {{ index }}-logs policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -k -L -X PUT "https://{{ NODEIP }}:9200/_ilm/policy/{{ index }}-logs" -H 'Content-Type: application/json' -d'{ "policy": {{ settings.policy | tojson(true) }} }' +echo + {%- endif %} +{%- endfor %} +echo From acda03ce406cacce9c7b10ca1da7005304aa4a6e Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 10 Feb 2023 14:57:11 -0500 Subject: [PATCH 078/470] Add annotation settings for Elasticsearch's ILM feature, and remove various index keys --- salt/elasticsearch/soc_elasticsearch.yaml | 72 ++++++++++++----------- 1 file changed, 39 insertions(+), 33 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d9de9343e..26d4890c2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -36,7 +36,7 @@ elasticsearch: global: True helpLink: elasticsearch.html index_settings: - so-aws: &indexSettings + so-elasticsearch: &indexSettings warm: description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. global: True @@ -75,45 +75,51 @@ elasticsearch: description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. global: True helpLink: elasticsearch.html - so-azure: *indexSettings - so-barracuda: *indexSettings - so-beats: *indexSettings - so-bluecoat: *indexSettings - so-cef: *indexSettings - so-checkpoint: *indexSettings - so-cisco: *indexSettings - so-cyberark: *indexSettings - so-cylance: *indexSettings - so-elasticsearch: *indexSettings + policy: + phases: + hot: + min_age: + description: Minimum age + global: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Priority of index, used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + global: True + helpLink: elasticsearch.html + rollover: + max_age: + description: Maximum age of index. Once an index reaches this limit, it will be rolled over into a new index. + global: True + helpLink: elasticsearch.html + max_primary_shard_size: + description: Maximum primary shard size. Once an index reaches this limit, it will be rolled over into a new index. + global: True + helpLink: elasticsearch.html + cold: + min_age: + description: Minimum age of index, determining when it should be sent to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + global: True + helpLink: elasticsearch.html + actions: + set_priority: + priority: + description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + global: True + helpLink: elasticsearch.html + delete: + min_age: + description: Minimum age of index, determining when it should be deleted. + global: True + helpLink: elastic so-endgame: *indexSettings - so-f5: *indexSettings so-firewall: *indexSettings - so-fortinet: *indexSettings - so-gcp: *indexSettings - so-google_workspace: *indexSettings - so-ids: *indexSettings - so-imperva: *indexSettings so-import: *indexSettings - so-infoblox: *indexSettings - so-juniper: *indexSettings so-kibana: *indexSettings so-logstash: *indexSettings - so-microsoft: *indexSettings - so-misp: *indexSettings - so-netflow: *indexSettings - so-netscout: *indexSettings - so-o365: *indexSettings - so-okta: *indexSettings so-osquery: *indexSettings - so-proofpoint: *indexSettings - so-radware: *indexSettings so-redis: *indexSettings - so-snort: *indexSettings - so-snyk: *indexSettings - so-sonicwall: *indexSettings - so-sophos: *indexSettings so-strelka: *indexSettings so-syslog: *indexSettings - so-tomcat: *indexSettings so-zeek: *indexSettings - so-zscaler: *indexSettings From cd27ae89ccba23311723c71c61c9ba9185eb6700 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 16:34:06 -0500 Subject: [PATCH 079/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 238 ++++++++++++++++++++++ salt/common/tools/sbin/so-influxdb-user | 114 ----------- salt/common/tools/sbin/so-user | 14 +- salt/influxdb/buckets.json.jinja | 3 + salt/influxdb/config.yaml.jinja | 5 +- salt/influxdb/defaults.yaml | 12 +- salt/influxdb/init.sls | 24 ++- salt/influxdb/map.jinja | 11 +- salt/influxdb/soc_influxdb.yaml | 10 +- salt/soc/defaults.map.jinja | 6 +- salt/soc/defaults.yaml | 6 +- 11 files changed, 288 insertions(+), 155 deletions(-) create mode 100644 salt/common/tools/sbin/so-influxdb-manage delete mode 100644 salt/common/tools/sbin/so-influxdb-user create mode 100644 salt/influxdb/buckets.json.jinja diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage new file mode 100644 index 000000000..e5f480369 --- /dev/null +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -0,0 +1,238 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +usage() { + echo "Usage: $0 [args]" + echo "" + echo "Supported Operations:" + echo " setup Loads all templates and creates all required buckets" + echo " templateapply Applies a single template file, requires: " + echo " userlist Lists users" + echo " useradd Adds a new user, requires: " + echo " userdel Removes an existing user, requires: " + echo " userenable Enables a user, requires: " + echo " userdisable Disables a user, requires: " + echo " userpass Updates a user's password, requires: " + echo "" + echo "If required, the password will be read from STDIN." + exit 1 +} + +if [ $# -lt 1 ]; then + usage +fi + +OP=$1 +shift + +set -eo pipefail + +log() { + echo -e "$(date) | InfluxDB | $@" >&2 +} + +check_response() { + response=$1 + if [[ "$response" =~ "\"code\":" ]]; then + log "Failed. Check the response for more details.\n$response" + exit 1 + fi +} + +lookup_user_id() { + token=$1 + email=$2 + response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $token") + check_response "$response" + uid=$(echo "$response" | jq -r ".users[] | select(.name == \"$email\").id") + if [[ -z "$uid" ]]; then + log "User not found" + exit 1 + fi + echo "$uid" +} + +lookup_org_id() { + token=$1 + response=$(curl -sk https://localhost:8086/api/v2/orgs?limit=100 -H "Authorization: Token $token") + check_response "$response" + oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") + if [[ -z "$oid" ]]; then + log "Organization not found" + exit 1 + fi + echo "$oid" +} + +lookup_stack_id() { + token=$1 + oid=$2 + response=$(curl -sk "https://localhost:8086/api/v2/stacks?orgID=$oid&name=Security+Onion" -H "Authorization: Token $token") + check_response "$response" + stackid=$(echo "$response" | jq -r ".stacks[0].id") + if [[ -z "$stackid" || "$stackid" == null ]]; then + response=$(curl -sk https://localhost:8086/api/v2/stacks -X POST -d "{\"name\":\"Security Onion\",\"orgID\":\"$oid\"}" -H "Authorization: Token $token") + check_response "$response" + stackid=$(echo "$response" | jq -r .id) + fi + echo "$stackid" +} + +add_user_to_org() { + token=$1 + uid=$2 + oid=$3 + log "Adding new user to organization" + response=$(curl -sk https://localhost:8086/api/v2/orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}" -H "Authorization: Token $token") + check_response "$response" +} + +change_password() { + token=$1 + uid=$2 + set +e + test -t 0 + if [[ $? == 0 ]]; then + echo "Enter new password:" + fi + set -e + read -rs pass + check_password_and_exit "$pass" + response=$(curl -sk https://localhost:8086/api/v2/users/$uid/password -X POST -d "{\"password\":\"$pass\"}" -H "Authorization: Token $token") + check_response "$response" +} + +apply_template() { + token=$1 + oid=$2 + stackid=$3 + file=$4 + content=$(cat $file) + body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"template\":{\"contents\":$content}}" + response=$(curl -sk https://localhost:8086/api/v2/templates/apply -X POST -d "$body" -H "Authorization: Token $token") + check_response "$response" +} + +create_bucket() { + token=$1 + oid=$2 + name=$3 + age=$4 + shardduration=$5 + + response=$(curl -sk "https://localhost:8086/api/v2/buckets?orgID=$oid&name=$name" -H "Authorization: Token $token") + check_response "$response" + bucketid=$(echo "$response" | jq -r ".buckets[0].id") + if [[ -z "$stackid" || "$stackid" == null ]]; then + response=$(curl -sk https://localhost:8086/api/v2/buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"oid\"}" -H "Authorization: Token $token") + check_response "$response" + bucketid=$(echo "$response" | jq -r .id) + fi + response=$(curl -sk "https://localhost:8086/api/v2/buckets/$bucketid" -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}" -H "Authorization: Token $token") + check_response "$response" +} + +case "$OP" in + + templateload) + [ $# -ne 1 ] && usage + file=$1 + log "Applying template file; file=$file" + token=$(lookup_pillar_secret influx_token) + oid=$(lookup_org_id "$token") + stackid=$(lookup_stack_id "$token" "$oid") + apply_template "$token" "$oid" "$stackid" "$file" + ;; + + setup) + log "Ensuring organization is setup correctly" + token=$(lookup_pillar_secret influx_token) + oid=$(lookup_org_id "$token") + + # Load templates + stackid=$(lookup_stack_id "$token" "$oid") + for file in /opt/so/conf/influxdb/templates/*; do + log "Ensuring template is loaded; template=$file" + apply_template "$token" "$oid" "$stackid" "$file" + done + + # Setup buckets and retention periods + for rp in so_short_term so_long_term; do + bucket=telegraf/$rp + log "Ensuring bucket is created and configured; bucket=$bucket" + age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration) + shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration) + create_bucket "$token" "$oid" "$bucket" "$age" "$shard_duration" + done + ;; + + userlist) + log "Listing existing users" + token=$(lookup_pillar_secret influx_token) + response=$(curl -sk https://localhost:8086/api/v2/users -H "Authorization: Token $token") + check_response "$response" + echo "$response" | jq -r '.users[] | "\(.id): \(.name) (\(.status))"' + ;; + + useradd) + [ $# -ne 1 ] && usage + email=$1 + log "Adding new user; email=$email" + token=$(lookup_pillar_secret influx_token) + oid=$(lookup_org_id "$token") + response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$email\"}" -H "Authorization: Token $token") + check_response "$response" + uid=$(echo "$response" | jq -r .id) + add_user_to_org "$token" "$uid" "$oid" + change_password "$token" "$uid" + ;; + + userpass) + [ $# -ne 1 ] && usage + email=$1 + log "Updating user password; email=$email" + token=$(lookup_pillar_secret influx_token) + uid=$(lookup_user_id "$token" "$email") + change_password "$token" "$uid" + ;; + + userdel) + [ $# -ne 1 ] && usage + email=$1 + log "Deleting user; email=$email" + token=$(lookup_pillar_secret influx_token) + uid=$(lookup_user_id "$token" "$email") + response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X DELETE -H "Authorization: Token $token") + check_response "$response" + ;; + + userenable) + [ $# -ne 1 ] && usage + email=$1 + log "Enabling user; email=$email" + token=$(lookup_pillar_secret influx_token) + uid=$(lookup_user_id "$token" "$email") + response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"active\"}" -H "Authorization: Token $token") + check_response "$response" + ;; + + userdisable) + [ $# -ne 1 ] && usage + email=$1 + log "Disabling user; email=$email" + token=$(lookup_pillar_secret influx_token) + uid=$(lookup_user_id "$token" "$email") + response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"inactive\"}" -H "Authorization: Token $token") + check_response "$response" + ;; + + *) + usage + ;; +esac diff --git a/salt/common/tools/sbin/so-influxdb-user b/salt/common/tools/sbin/so-influxdb-user deleted file mode 100644 index 90cf84e25..000000000 --- a/salt/common/tools/sbin/so-influxdb-user +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Supported Operations:" - echo " add Adds a new user" - echo " delete Removes an existing user" - echo " enable Enables a user" - echo " disable Disables a user" - echo " password Updates a user's password" - echo "" - echo "If required, the password will be read from STDIN." - exit 1 -} - -if [ $# -ne 2 ]; then - usage -fi - -KIND=InfluxDB -OP=$1 -USER_EMAIL=$2 -TOKEN=$(lookup_pillar_secret influx_token) - -log() { - echo -e "$@" -} - -read_password() { - # Read password for new user from stdin - set +e - test -t 0 - if [[ $? == 0 ]]; then - echo "Enter new password:" - fi - set -e - read -rs USER_PASS - - check_password_and_exit "$USER_PASS" -} - -check_response() { - response=$1 - if [[ "$response" =~ "\"code\":" ]]; then - log "Failed. Check the response for more details.\n$response" - exit 1 - fi -} - -set -eo pipefail - -if [[ "$OP" == "add" ]]; then - log "Creating new $KIND user" - response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$USER_EMAIL\"}" -H "Authorization: Token $TOKEN") - check_response "$response" -fi - -log "Looking up user ID" -response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $TOKEN") -check_response "$response" -USER_ID=$(echo "$response" | jq -r ".users[] | select(.name == \"$USER_EMAIL\").id") -if [[ -z "$USER_ID" ]]; then - log "$KIND user not found" - exit 1 -fi - -log "Looking up organization ID" -response=$(curl -sk https://localhost:8086/api/v2/orgs?limit=100 -H "Authorization: Token $TOKEN") -check_response "$response" -ORG_ID=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") -if [[ -z "$ORG_ID" ]]; then - log "$KIND organization not found" - exit 1 -fi - -if [[ "$OP" == "add" ]]; then - log "Adding new $KIND user to organization" - response=$(curl -sk https://localhost:8086/api/v2/orgs/$ORG_ID/members -X POST -d "{\"id\":\"$USER_ID\"}" -H "Authorization: Token $TOKEN") - check_response "$response" - OP=password -fi - -if [[ "$OP" == "password" ]]; then - read_password - log "Updating $KIND user password" - response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID/password -X POST -d "{\"password\":\"$USER_PASS\"}" -H "Authorization: Token $TOKEN") - check_response "$response" -fi - -if [[ "$OP" == "delete" ]]; then - log "Deleting $KIND user" - response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X DELETE -H "Authorization: Token $TOKEN") - check_response "$response" -fi - -if [[ "$OP" == "enable" ]]; then - log "Enabling $KIND user" - response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"active\"}" -H "Authorization: Token $TOKEN") - check_response "$response" -fi - -if [[ "$OP" == "disable" ]]; then - log "Disabling $KIND user" - response=$(curl -sk https://localhost:8086/api/v2/users/$USER_ID -X PATCH -d "{\"name\":\"$USER_EMAIL\",\"status\":\"inactive\"}" -H "Authorization: Token $TOKEN") - check_response "$response" -fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 46feef640..da6f3a4fb 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -587,8 +587,7 @@ case "${operation}" in createUser "$email" "${role:-$DEFAULT_ROLE}" "${firstName}" "${lastName}" "${note}" syncAll echo "Successfully added new user to SOC" - check_container fleet && echo "$password" | so-fleet-user-add "$email" - echo "$password" | so-influxdb-user add "$email" + echo "$password" | so-influxdb-manage useradd "$email" ;; "list") @@ -629,7 +628,7 @@ case "${operation}" in updateUserPassword "$email" syncAll echo "Successfully updated user password" - echo "$password" | so-influxdb-user password "$email" + echo "$password" | so-influxdb-manage userpass "$email" ;; "profile") @@ -649,8 +648,7 @@ case "${operation}" in updateStatus "$email" 'active' syncAll echo "Successfully enabled user" - echo "Fleet user will need to be recreated manually with so-fleet-user-add" - so-influxdb-user enable "$email" + so-influxdb-manage userenable "$email" ;; "disable") @@ -661,8 +659,7 @@ case "${operation}" in updateStatus "$email" 'locked' syncAll echo "Successfully disabled user" - check_container fleet && so-fleet-user-delete "$email" - so-influxdb-user disable "$email" + so-influxdb-manage userdisable "$email" ;; "delete") @@ -673,8 +670,7 @@ case "${operation}" in deleteUser "$email" syncAll echo "Successfully deleted user" - check_container fleet && so-fleet-user-delete "$email" - so-influxdb-user delete "$email" + so-influxdb-manage userdel "$email" ;; "sync") diff --git a/salt/influxdb/buckets.json.jinja b/salt/influxdb/buckets.json.jinja new file mode 100644 index 000000000..1e4655d31 --- /dev/null +++ b/salt/influxdb/buckets.json.jinja @@ -0,0 +1,3 @@ +{%- from 'influxdb/map.jinja' import INFLUXMERGED %} + +{{ INFLUXMERGED.buckets | json }} \ No newline at end of file diff --git a/salt/influxdb/config.yaml.jinja b/salt/influxdb/config.yaml.jinja index 720c4967c..50b8ff940 100644 --- a/salt/influxdb/config.yaml.jinja +++ b/salt/influxdb/config.yaml.jinja @@ -1,4 +1,3 @@ -{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %} -{%- set INFLUXMERGED = salt['pillar.get']('influxdb:config', default=INFLUXDEFAULTS.influxdb.config, merge=true) %} +{%- from 'influxdb/map.jinja' import INFLUXMERGED %} -{{ INFLUXMERGED | yaml(false) }} \ No newline at end of file +{{ INFLUXMERGED.config | yaml(false) }} \ No newline at end of file diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 82e59db90..983844faf 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -65,15 +65,13 @@ influxdb: vault-skip-verify: false vault-tls-server-name: "" vault-token: "" - retention_policies: + buckets: so_short_term: - default: True - duration: 30d - shard_duration: 1d + duration: 2592000 + shard_duration: 86400 so_long_term: - default: False - duration: 0d - shard_duration: 7d + duration: 0 + shard_duration: 604800 downsample: so_long_term: resolution: 5m \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index a3a59db70..96b1e7b76 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -33,10 +33,31 @@ influxdbdir: influxdbconf: file.managed: - name: /opt/so/conf/influxdb/config.yaml + - source: salt://influxdb/config.yaml.jinja - user: 939 - group: 939 - template: jinja - - source: salt://influxdb/config.yaml.jinja + +influxdbbucketsconf: + file.managed: + - name: /opt/so/conf/influxdb/buckets.json + - source: salt://influxdb/buckets.json.jinja + - user: 939 + - group: 939 + - template: jinja + +influxdb-templates: + file.recurse: + - name: /opt/so/conf/influxdb/templates + - source: salt://influxdb/templates + - user: 939 + - group: 939 + - template: jinja + - clean: True + +influxdb-setup: + cmd.run: + - name: /usr/sbin/so-influxdb-setup so-influxdb: docker_container.running: @@ -53,7 +74,6 @@ so-influxdb: - DOCKER_INFLUXDB_INIT_PASSWORD={{ PASSWORD }} - DOCKER_INFLUXDB_INIT_ORG=Security Onion - DOCKER_INFLUXDB_INIT_BUCKET=telegraf/so_short_term - - DOCKER_INFLUXDB_INIT_RETENTION=30d - DOCKER_INFLUXDB_INIT_ADMIN_TOKEN={{ TOKEN }} - binds: - /opt/so/log/influxdb/:/log:rw diff --git a/salt/influxdb/map.jinja b/salt/influxdb/map.jinja index a13d4c257..ecbdd1306 100644 --- a/salt/influxdb/map.jinja +++ b/salt/influxdb/map.jinja @@ -1,9 +1,2 @@ -{% import_yaml 'influxdb/defaults.yaml' as INFLUXDB %} -{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} - -{% if measurements|length > 0 %} -{% do INFLUXDB.influxdb.downsample.so_long_term.update('measurements': [])%} -{% for measurement in measurements.splitlines() %} -{% do INFLUXDB.influxdb.downsample.so_long_term.measurements.append(measurement)%} -{% endfor %} -{% endif %} +{%- import_yaml 'influxdb/defaults.yaml' as INFLUXDEFAULTS %} +{%- set INFLUXMERGED = salt['pillar.get']('influxdb', default=INFLUXDEFAULTS.influxdb, merge=true) %} diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml index cbef9db85..7f6ceb316 100644 --- a/salt/influxdb/soc_influxdb.yaml +++ b/salt/influxdb/soc_influxdb.yaml @@ -328,23 +328,23 @@ influxdb: global: True advanced: True helpLink: influxdb.html - retention_policies: + buckets: so_short_term: duration: - description: Amount of time to keep short term data. + description: Amount of time (in seconds) to keep short term data. global: True helpLink: influxdb.html shard_duration: - description: Time range + description: Amount of the time (in seconds) range covered by the shard group. global: True helpLink: influxdb.html so_long_term: duration: - description: Amount of time to keep long term downsampled data. + description: Amount of time (in seconds) to keep long term downsampled data. global: True helpLink: influxdb.html shard_duration: - description: Amount of the time range covered by the shard group. + description: Amount of the time (in seconds) range covered by the shard group. global: True helpLink: influxdb.html downsample: diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index e26a8050f..912b16f46 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -1,6 +1,7 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} +{%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} {% for module, application_url in GLOBALS.application_urls.items() %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} @@ -15,9 +16,8 @@ {% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} -{% if GLOBALS.role != 'so-import' %} -{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} -{% endif %} +{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} +{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %} {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b83b94493..0723f2da9 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1031,9 +1031,9 @@ soc: asyncThreshold: 10 influxdb: hostUrl: - token: '' - org: '' - bucket: telegraf + token: + org: Security Onion + bucket: telegraf/so_short_term verifyCert: false salt: saltPipe: /opt/sensoroni/salt/pipe From 7dee2686ac3eec272f1074cc0133b575d37452df Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 18:19:31 -0500 Subject: [PATCH 080/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 80 ++++++++++++----------- salt/influxdb/init.sls | 2 +- salt/influxdb/templates/container.json | 2 +- salt/influxdb/templates/host.json | 2 +- salt/influxdb/templates/role.json | 2 +- 5 files changed, 47 insertions(+), 41 deletions(-) diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage index e5f480369..40eb2e1e2 100644 --- a/salt/common/tools/sbin/so-influxdb-manage +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -12,7 +12,6 @@ usage() { echo "" echo "Supported Operations:" echo " setup Loads all templates and creates all required buckets" - echo " templateapply Applies a single template file, requires: " echo " userlist Lists users" echo " useradd Adds a new user, requires: " echo " userdel Removes an existing user, requires: " @@ -108,18 +107,17 @@ change_password() { check_response "$response" } -apply_template() { +apply_templates() { token=$1 oid=$2 stackid=$3 - file=$4 - content=$(cat $file) - body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"template\":{\"contents\":$content}}" + template_objects_array=$4 + body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"templates\":$template_objects_array}" response=$(curl -sk https://localhost:8086/api/v2/templates/apply -X POST -d "$body" -H "Authorization: Token $token") check_response "$response" } -create_bucket() { +setup_bucket() { token=$1 oid=$2 name=$3 @@ -127,50 +125,58 @@ create_bucket() { shardduration=$5 response=$(curl -sk "https://localhost:8086/api/v2/buckets?orgID=$oid&name=$name" -H "Authorization: Token $token") - check_response "$response" bucketid=$(echo "$response" | jq -r ".buckets[0].id") - if [[ -z "$stackid" || "$stackid" == null ]]; then - response=$(curl -sk https://localhost:8086/api/v2/buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"oid\"}" -H "Authorization: Token $token") + if [[ -z "$bucketid" || "$bucketid" == null ]]; then + response=$(curl -sk https://localhost:8086/api/v2/buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"$oid\"}" -H "Authorization: Token $token") check_response "$response" bucketid=$(echo "$response" | jq -r .id) fi - response=$(curl -sk "https://localhost:8086/api/v2/buckets/$bucketid" -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}" -H "Authorization: Token $token") + response=$(curl -sk "https://localhost:8086/api/v2/buckets/$bucketid" -X PATCH -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}" -H "Authorization: Token $token") check_response "$response" } case "$OP" in - templateload) - [ $# -ne 1 ] && usage - file=$1 - log "Applying template file; file=$file" - token=$(lookup_pillar_secret influx_token) - oid=$(lookup_org_id "$token") - stackid=$(lookup_stack_id "$token" "$oid") - apply_template "$token" "$oid" "$stackid" "$file" - ;; - setup) log "Ensuring organization is setup correctly" - token=$(lookup_pillar_secret influx_token) - oid=$(lookup_org_id "$token") - # Load templates - stackid=$(lookup_stack_id "$token" "$oid") - for file in /opt/so/conf/influxdb/templates/*; do - log "Ensuring template is loaded; template=$file" - apply_template "$token" "$oid" "$stackid" "$file" - done + # Load templates if at least one has been modified since the last setup + newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1) + if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then + log "Updating templates" + token=$(lookup_pillar_secret influx_token) + oid=$(lookup_org_id "$token") + stackid=$(lookup_stack_id "$token" "$oid") + for file in /opt/so/conf/influxdb/templates/*; do + if [[ "$templates_array" != "" ]]; then + templates_array="$templates_array," + fi + template=$(cat "$file") + templates_array="$templates_array{\"contents\":$template}" + done + apply_templates "$token" "$oid" "$stackid" "[$templates_array]" + echo $(date) > /opt/so/conf/influxdb/last_template_setup + else + log "Templates have not been modified since last setup" + fi - # Setup buckets and retention periods - for rp in so_short_term so_long_term; do - bucket=telegraf/$rp - log "Ensuring bucket is created and configured; bucket=$bucket" - age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration) - shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration) - create_bucket "$token" "$oid" "$bucket" "$age" "$shard_duration" - done - ;; + # Setup buckets and retention periods if at least one has been modified since the last setup + if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then + log "Updating buckets and retention periods" + token=$(lookup_pillar_secret influx_token) + oid=$(lookup_org_id "$token") + for rp in so_short_term so_long_term; do + bucket=telegraf/$rp + log "Ensuring bucket is created and configured; bucket=$bucket" + age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration) + shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration) + setup_bucket "$token" "$oid" "$bucket" "$age" "$shard_duration" + done + echo $(date) > /opt/so/conf/influxdb/last_bucket_setup + else + log "Buckets have not been modified since last setup" + fi + ;; userlist) log "Listing existing users" diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 96b1e7b76..efd46ac7d 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -57,7 +57,7 @@ influxdb-templates: influxdb-setup: cmd.run: - - name: /usr/sbin/so-influxdb-setup + - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log so-influxdb: docker_container.running: diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/container.json index 77ff20bde..48f8ac95d 100644 --- a/salt/influxdb/templates/container.json +++ b/salt/influxdb/templates/container.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] diff --git a/salt/influxdb/templates/host.json b/salt/influxdb/templates/host.json index adfdf884f..8d9f663e1 100644 --- a/salt/influxdb/templates/host.json +++ b/salt/influxdb/templates/host.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] diff --git a/salt/influxdb/templates/role.json b/salt/influxdb/templates/role.json index 72b48bdd7..2a895563c 100644 --- a/salt/influxdb/templates/role.json +++ b/salt/influxdb/templates/role.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] From 39009ce938d746c6c566b69a66ecdb3d1094f761 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 18:32:01 -0500 Subject: [PATCH 081/470] influx upgrade --- salt/influxdb/templates/container.json | 2 +- salt/influxdb/templates/host.json | 2 +- salt/influxdb/templates/role.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/container.json index 48f8ac95d..3713444b3 100644 --- a/salt/influxdb/templates/container.json +++ b/salt/influxdb/templates/container.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] diff --git a/salt/influxdb/templates/host.json b/salt/influxdb/templates/host.json index 8d9f663e1..8e465c803 100644 --- a/salt/influxdb/templates/host.json +++ b/salt/influxdb/templates/host.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"Host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] diff --git a/salt/influxdb/templates/role.json b/salt/influxdb/templates/role.json index 2a895563c..af65a14f3 100644 --- a/salt/influxdb/templates/role.json +++ b/salt/influxdb/templates/role.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"Role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] From 0056b8f703e51682943f386d189c5a8e72df588d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 18:35:18 -0500 Subject: [PATCH 082/470] influx upgrade --- salt/influxdb/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 983844faf..373f6a603 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -26,7 +26,7 @@ influxdb: query-queue-size: 500 reporting-disabled: true secret-store: bolt - session-length: 60 + session-length: 10080 session-renew-disabled: false sqlite-path: /var/lib/influxdb2/influxd.sqlite storage-cache-max-memory-size: 1073741824 From 4f0af9ac6b6f4ee2aa9350aecb1be31b7197ab5e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 18:41:29 -0500 Subject: [PATCH 083/470] influx upgrade --- salt/influxdb/templates/container.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/container.json index 3713444b3..8e3b86530 100644 --- a/salt/influxdb/templates/container.json +++ b/salt/influxdb/templates/container.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.Host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] From e5c26032c428680f814d91f08191af21c7e7bd17 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 19:37:59 -0500 Subject: [PATCH 084/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 104 ++++++++++------------ salt/influxdb/curl.config.jinja | 1 + salt/influxdb/init.sls | 8 ++ salt/influxdb/templates/container.json | 2 +- salt/influxdb/templates/host.json | 2 +- salt/influxdb/templates/role.json | 2 +- 6 files changed, 61 insertions(+), 58 deletions(-) create mode 100644 salt/influxdb/curl.config.jinja diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage index 40eb2e1e2..964a1b517 100644 --- a/salt/common/tools/sbin/so-influxdb-manage +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -44,10 +44,14 @@ check_response() { fi } +request() { + curl -skK /opt/so/conf/influxdb/curl.config "https://localhost:8086/api/v2/$@" +} + lookup_user_id() { - token=$1 - email=$2 - response=$(curl -sk https://localhost:8086/api/v2/users?limit=100 -H "Authorization: Token $token") + email=$1 + + response=$(request users?limit=100) check_response "$response" uid=$(echo "$response" | jq -r ".users[] | select(.name == \"$email\").id") if [[ -z "$uid" ]]; then @@ -58,8 +62,7 @@ lookup_user_id() { } lookup_org_id() { - token=$1 - response=$(curl -sk https://localhost:8086/api/v2/orgs?limit=100 -H "Authorization: Token $token") + response=$(request orgs?limit=100) check_response "$response" oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") if [[ -z "$oid" ]]; then @@ -70,13 +73,13 @@ lookup_org_id() { } lookup_stack_id() { - token=$1 - oid=$2 - response=$(curl -sk "https://localhost:8086/api/v2/stacks?orgID=$oid&name=Security+Onion" -H "Authorization: Token $token") + oid=$1 + + response=$(request "stacks?orgID=$oid&name=Security+Onion") check_response "$response" stackid=$(echo "$response" | jq -r ".stacks[0].id") if [[ -z "$stackid" || "$stackid" == null ]]; then - response=$(curl -sk https://localhost:8086/api/v2/stacks -X POST -d "{\"name\":\"Security Onion\",\"orgID\":\"$oid\"}" -H "Authorization: Token $token") + response=$(request stacks -X POST -d "{\"name\":\"Security Onion\",\"orgID\":\"$oid\"}") check_response "$response" stackid=$(echo "$response" | jq -r .id) fi @@ -84,17 +87,17 @@ lookup_stack_id() { } add_user_to_org() { - token=$1 - uid=$2 - oid=$3 + uid=$1 + oid=$2 + log "Adding new user to organization" - response=$(curl -sk https://localhost:8086/api/v2/orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}" -H "Authorization: Token $token") + response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}") check_response "$response" } change_password() { - token=$1 - uid=$2 + uid=$1 + set +e test -t 0 if [[ $? == 0 ]]; then @@ -103,35 +106,34 @@ change_password() { set -e read -rs pass check_password_and_exit "$pass" - response=$(curl -sk https://localhost:8086/api/v2/users/$uid/password -X POST -d "{\"password\":\"$pass\"}" -H "Authorization: Token $token") + response=$(request users/$uid/password -X POST -d "{\"password\":\"$pass\"}") check_response "$response" } apply_templates() { - token=$1 - oid=$2 - stackid=$3 - template_objects_array=$4 + oid=$1 + stackid=$2 + template_objects_array=$3 + body="{\"orgID\":\"$oid\",\"stackID\":\"$stackid\",\"templates\":$template_objects_array}" - response=$(curl -sk https://localhost:8086/api/v2/templates/apply -X POST -d "$body" -H "Authorization: Token $token") + response=$(request templates/apply -X POST -d "$body") check_response "$response" } setup_bucket() { - token=$1 - oid=$2 - name=$3 - age=$4 - shardduration=$5 + oid=$1 + name=$2 + age=$3 + shardduration=$4 - response=$(curl -sk "https://localhost:8086/api/v2/buckets?orgID=$oid&name=$name" -H "Authorization: Token $token") + response=$(request "buckets?orgID=$oid&name=$name") bucketid=$(echo "$response" | jq -r ".buckets[0].id") if [[ -z "$bucketid" || "$bucketid" == null ]]; then - response=$(curl -sk https://localhost:8086/api/v2/buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"$oid\"}" -H "Authorization: Token $token") + response=$(request buckets -X POST -d "{\"name\":\"$name\",\"orgID\":\"$oid\"}") check_response "$response" bucketid=$(echo "$response" | jq -r .id) fi - response=$(curl -sk "https://localhost:8086/api/v2/buckets/$bucketid" -X PATCH -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}" -H "Authorization: Token $token") + response=$(request buckets/$bucketid -X PATCH -d "{\"name\":\"$name\",\"retentionRules\":[{\"everySeconds\":$age,\"shardGroupDurationSeconds\":$shardduration,\"type\":\"expire\"}]}") check_response "$response" } @@ -144,9 +146,8 @@ case "$OP" in newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1) if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then log "Updating templates" - token=$(lookup_pillar_secret influx_token) - oid=$(lookup_org_id "$token") - stackid=$(lookup_stack_id "$token" "$oid") + oid=$(lookup_org_id) + stackid=$(lookup_stack_id "$oid") for file in /opt/so/conf/influxdb/templates/*; do if [[ "$templates_array" != "" ]]; then templates_array="$templates_array," @@ -154,7 +155,7 @@ case "$OP" in template=$(cat "$file") templates_array="$templates_array{\"contents\":$template}" done - apply_templates "$token" "$oid" "$stackid" "[$templates_array]" + apply_templates "$oid" "$stackid" "[$templates_array]" echo $(date) > /opt/so/conf/influxdb/last_template_setup else log "Templates have not been modified since last setup" @@ -163,14 +164,13 @@ case "$OP" in # Setup buckets and retention periods if at least one has been modified since the last setup if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then log "Updating buckets and retention periods" - token=$(lookup_pillar_secret influx_token) - oid=$(lookup_org_id "$token") + oid=$(lookup_org_id) for rp in so_short_term so_long_term; do bucket=telegraf/$rp log "Ensuring bucket is created and configured; bucket=$bucket" age=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.duration) shard_duration=$(cat /opt/so/conf/influxdb/buckets.json | jq -r .$rp.shard_duration) - setup_bucket "$token" "$oid" "$bucket" "$age" "$shard_duration" + setup_bucket "$oid" "$bucket" "$age" "$shard_duration" done echo $(date) > /opt/so/conf/influxdb/last_bucket_setup else @@ -180,8 +180,7 @@ case "$OP" in userlist) log "Listing existing users" - token=$(lookup_pillar_secret influx_token) - response=$(curl -sk https://localhost:8086/api/v2/users -H "Authorization: Token $token") + response=$(request users) check_response "$response" echo "$response" | jq -r '.users[] | "\(.id): \(.name) (\(.status))"' ;; @@ -190,31 +189,28 @@ case "$OP" in [ $# -ne 1 ] && usage email=$1 log "Adding new user; email=$email" - token=$(lookup_pillar_secret influx_token) - oid=$(lookup_org_id "$token") - response=$(curl -sk https://localhost:8086/api/v2/users -X POST -d "{\"name\":\"$email\"}" -H "Authorization: Token $token") + oid=$(lookup_org_id) + response=$(request users -X POST -d "{\"name\":\"$email\"}") check_response "$response" uid=$(echo "$response" | jq -r .id) - add_user_to_org "$token" "$uid" "$oid" - change_password "$token" "$uid" + add_user_to_org "$uid" "$oid" + change_password "$uid" ;; userpass) [ $# -ne 1 ] && usage email=$1 log "Updating user password; email=$email" - token=$(lookup_pillar_secret influx_token) - uid=$(lookup_user_id "$token" "$email") - change_password "$token" "$uid" + uid=$(lookup_user_id "$email") + change_password "$uid" ;; userdel) [ $# -ne 1 ] && usage email=$1 log "Deleting user; email=$email" - token=$(lookup_pillar_secret influx_token) - uid=$(lookup_user_id "$token" "$email") - response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X DELETE -H "Authorization: Token $token") + uid=$(lookup_user_id "$email") + response=$(request users/$uid -X DELETE) check_response "$response" ;; @@ -222,9 +218,8 @@ case "$OP" in [ $# -ne 1 ] && usage email=$1 log "Enabling user; email=$email" - token=$(lookup_pillar_secret influx_token) - uid=$(lookup_user_id "$token" "$email") - response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"active\"}" -H "Authorization: Token $token") + uid=$(lookup_user_id "$email") + response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"active\"}") check_response "$response" ;; @@ -232,9 +227,8 @@ case "$OP" in [ $# -ne 1 ] && usage email=$1 log "Disabling user; email=$email" - token=$(lookup_pillar_secret influx_token) - uid=$(lookup_user_id "$token" "$email") - response=$(curl -sk https://localhost:8086/api/v2/users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"inactive\"}" -H "Authorization: Token $token") + uid=$(lookup_user_id "$email") + response=$(request users/$uid -X PATCH -d "{\"name\":\"$email\",\"status\":\"inactive\"}") check_response "$response" ;; diff --git a/salt/influxdb/curl.config.jinja b/salt/influxdb/curl.config.jinja new file mode 100644 index 000000000..9f636e851 --- /dev/null +++ b/salt/influxdb/curl.config.jinja @@ -0,0 +1 @@ +header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}" \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index efd46ac7d..5b77a6b49 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -55,6 +55,14 @@ influxdb-templates: - template: jinja - clean: True +influxdb_curl_config: + file.managed: + - name: /opt/so/conf/influxdb/curl.config + - source: salt://influxdb/curl.config.jinja + - mode: 600 + - show_changes: False + - makedirs: True + influxdb-setup: cmd.run: - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/container.json index 8e3b86530..e97ea246b 100644 --- a/salt/influxdb/templates/container.json +++ b/salt/influxdb/templates/container.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.Host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-container"},"spec":{"language":"flux","name":"Container","query":"import \"array\"\n\ndynamic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"host\"] == v.Host)\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> keep(columns: [\"container_name\"])\n |> rename(fn: (column) => \"_value\")\n |> unique()\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["cool_gauss"],"type":"query"}}] diff --git a/salt/influxdb/templates/host.json b/salt/influxdb/templates/host.json index 8e465c803..293884aab 100644 --- a/salt/influxdb/templates/host.json +++ b/salt/influxdb/templates/host.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"Host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-host"},"spec":{"language":"flux","name":"Host","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"host\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["dev"],"type":"query"}}] diff --git a/salt/influxdb/templates/role.json b/salt/influxdb/templates/role.json index af65a14f3..b189dddc8 100644 --- a/salt/influxdb/templates/role.json +++ b/salt/influxdb/templates/role.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"Role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"All\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Variable","metadata":{"name":"variable-role"},"spec":{"language":"flux","name":"Role","query":"import \"influxdata/influxdb/schema\"\nimport \"array\"\n\ndynamic = schema.tagValues(bucket: \"telegraf/so_short_term\", tag: \"role\")\n\nstatic = array.from(\n rows: [\n {\n _value: \"(All)\",\n },\n ],\n)\n\nunion(tables: [static, dynamic])","selected":["standalone"],"type":"query"}}] From 34d19e308fe742a435ed1d7185ead54f315af833 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 10 Feb 2023 19:42:25 -0500 Subject: [PATCH 085/470] influx upgrade --- salt/influxdb/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 5b77a6b49..396b9567c 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -60,6 +60,7 @@ influxdb_curl_config: - name: /opt/so/conf/influxdb/curl.config - source: salt://influxdb/curl.config.jinja - mode: 600 + - template: jinja - show_changes: False - makedirs: True From 47af14c2655fd8f8e8975983ef300dd60af471da Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 09:51:48 -0500 Subject: [PATCH 086/470] upgrade influx --- salt/common/tools/sbin/so-influxdb-clean | 45 ------------ salt/common/tools/sbin/so-influxdb-downsample | 55 --------------- .../tools/sbin/so-influxdb-drop-autogen | 26 ------- salt/influxdb/buckets.json.jinja | 2 - salt/influxdb/config.yaml.jinja | 2 - salt/influxdb/init.sls | 7 ++ salt/influxdb/templates/downsample.json | 1 + .../templates/security_onion_performance.json | 2 +- .../files/influxdb_continuous_query.py.patch | 4 -- .../files/influxdb_retention_policy.py.patch | 16 ----- salt/salt/files/influxdbmod.py.patch | 16 ----- salt/salt/map.jinja | 8 --- salt/salt/minion.sls | 15 ---- salt/salt/python3-influxdb.sls | 70 ------------------- 14 files changed, 9 insertions(+), 260 deletions(-) delete mode 100755 salt/common/tools/sbin/so-influxdb-clean delete mode 100755 salt/common/tools/sbin/so-influxdb-downsample delete mode 100755 salt/common/tools/sbin/so-influxdb-drop-autogen create mode 100644 salt/influxdb/templates/downsample.json delete mode 100644 salt/salt/files/influxdb_continuous_query.py.patch delete mode 100644 salt/salt/files/influxdb_retention_policy.py.patch delete mode 100644 salt/salt/files/influxdbmod.py.patch delete mode 100644 salt/salt/python3-influxdb.sls diff --git a/salt/common/tools/sbin/so-influxdb-clean b/salt/common/tools/sbin/so-influxdb-clean deleted file mode 100755 index 1b903bbe5..000000000 --- a/salt/common/tools/sbin/so-influxdb-clean +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -wdurregex="^[0-9]+w$" -ddurregex="^[0-9]+d$" - -echo -e "\nThis script is used to reduce the size of InfluxDB by removing old data and retaining only the duration specified." -echo "The duration will need to be specified as an integer followed by the duration unit without a space." -echo -e "\nFor example, to purge all data but retain the past 12 weeks, specify 12w for the duration." -echo "The duration units are as follows:" -echo " w - week(s)" -echo " d - day(s)" - -while true; do - echo "" - read -p 'Enter the duration of past data that you would like to retain: ' duration - duration=$(echo $duration | tr '[:upper:]' '[:lower:]') - - if [[ "$duration" =~ $wdurregex ]] || [[ "$duration" =~ $ddurregex ]]; then - break - fi - - echo -e "\nInvalid duration." -done - -echo -e "\nInfluxDB will now be cleaned and leave only the past $duration worth of data." -read -r -p "Are you sure you want to continue? [y/N] " yorn -if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then - echo -e "\nCleaning InfluxDb and saving only the past $duration. This may could take several minutes depending on how much data needs to be cleaned." - if docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"DELETE FROM /.*/ WHERE \"time\" >= '2020-01-01T00:00:00.0000000Z' AND \"time\" <= now() - $duration\""; then - echo -e "\nInfluxDb clean complete." - else - echo -e "\nSomething went wrong with cleaning InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details." - fi -else - echo -e "\nExiting as requested." -fi diff --git a/salt/common/tools/sbin/so-influxdb-downsample b/salt/common/tools/sbin/so-influxdb-downsample deleted file mode 100755 index ef44cd91d..000000000 --- a/salt/common/tools/sbin/so-influxdb-downsample +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set role = grains.id.split('_') | last %} -{%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %} - {%- import_yaml 'influxdb/defaults.yaml' as default_settings %} - {%- set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} - -. /usr/sbin/so-common - -echo -e "\nThis script is used to reduce the size of InfluxDB by downsampling old data into the so_long_term retention policy." - -echo -e "\nInfluxDB will now be downsampled. This could take a few hours depending on how large the database is and hardware resources available." -read -r -p "Are you sure you want to continue? [y/N] " yorn -if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then - echo -e "\nDownsampling InfluxDb started at `date`. This may take several hours depending on how much data needs to be downsampled." - - {% for dest_rp in influxdb.downsample.keys() -%} - {% for measurement in influxdb.downsample[dest_rp].get('measurements', []) -%} - - day=0 - startdate=`date` - while docker exec -t so-influxdb /bin/bash -c "influx -ssl -unsafeSsl -database telegraf -execute \"SELECT mean(*) INTO \"so_long_term\".\"{{measurement}}\" FROM \"autogen\".\"{{measurement}}\" WHERE \"time\" >= '2020-07-21T00:00:00.0000000Z' + ${day}d AND \"time\" <= '2020-07-21T00:00:00.0000000Z' + $((day+1))d GROUP BY time(5m),*\""; do - # why 2020-07-21? - migrationdate=`date -d "2020-07-21 + ${day} days" +"%y-%m-%d"` - - echo "Downsampling of measurement: {{measurement}} from $migrationdate started at $startdate and completed at `date`." - - newdaytomigrate=$(date -d "$migrationdate + 1 days" +"%s") - today=$(date +"%s") - if [ $newdaytomigrate -ge $today ]; then - break - else - ((day=day+1)) - startdate=`date` - echo -e "\nDownsampling the next day's worth of data for measurement: {{measurement}}." - fi - done - - {% endfor -%} - {% endfor -%} - - echo -e "\nInfluxDb data downsampling complete." - -else - echo -e "\nExiting as requested." -fi -{%- else %} -echo -e "\nThis script can only be run on a node running InfluxDB." -{%- endif %} diff --git a/salt/common/tools/sbin/so-influxdb-drop-autogen b/salt/common/tools/sbin/so-influxdb-drop-autogen deleted file mode 100755 index 5fe7b6e73..000000000 --- a/salt/common/tools/sbin/so-influxdb-drop-autogen +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -echo -e "\nThis script is used to reduce the size of InfluxDB by dropping the autogen retention policy." -echo "If you want to retain historical data prior to 2.3.60, then this should only be run after you have downsampled your data using so-influxdb-downsample." - -echo -e "\nThe autogen retention policy will now be dropped from InfluxDB." -read -r -p "Are you sure you want to continue? [y/N] " yorn -if [[ "$yorn" =~ ^([yY][eE][sS]|[yY])$ ]]; then - echo -e "\nDropping autogen retention policy." - if docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -execute "drop retention policy autogen on telegraf"; then - echo -e "\nAutogen retention policy dropped from InfluxDb." - else - echo -e "\nSomething went wrong dropping then autogen retention policy from InfluxDB. Please verify that the so-influxdb Docker container is running, and check the log at /opt/so/log/influxdb/influxdb.log for any details." - fi -else - echo -e "\nExiting as requested." -fi diff --git a/salt/influxdb/buckets.json.jinja b/salt/influxdb/buckets.json.jinja index 1e4655d31..727d224be 100644 --- a/salt/influxdb/buckets.json.jinja +++ b/salt/influxdb/buckets.json.jinja @@ -1,3 +1 @@ -{%- from 'influxdb/map.jinja' import INFLUXMERGED %} - {{ INFLUXMERGED.buckets | json }} \ No newline at end of file diff --git a/salt/influxdb/config.yaml.jinja b/salt/influxdb/config.yaml.jinja index 50b8ff940..9d65fde3f 100644 --- a/salt/influxdb/config.yaml.jinja +++ b/salt/influxdb/config.yaml.jinja @@ -1,3 +1 @@ -{%- from 'influxdb/map.jinja' import INFLUXMERGED %} - {{ INFLUXMERGED.config | yaml(false) }} \ No newline at end of file diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 396b9567c..ff6466bb4 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -2,6 +2,7 @@ {% if sls in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'influxdb/map.jinja' import INFLUXMERGED %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} @@ -37,6 +38,8 @@ influxdbconf: - user: 939 - group: 939 - template: jinja + - defaults: + INFLUXMERGED: {{ INFLUXMERGED }} influxdbbucketsconf: file.managed: @@ -45,6 +48,8 @@ influxdbbucketsconf: - user: 939 - group: 939 - template: jinja + - defaults: + INFLUXMERGED: {{ INFLUXMERGED }} influxdb-templates: file.recurse: @@ -54,6 +59,8 @@ influxdb-templates: - group: 939 - template: jinja - clean: True + - defaults: + INFLUXMERGED: {{ INFLUXMERGED }} influxdb_curl_config: file.managed: diff --git a/salt/influxdb/templates/downsample.json b/salt/influxdb/templates/downsample.json new file mode 100644 index 000000000..62484638c --- /dev/null +++ b/salt/influxdb/templates/downsample.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Task","metadata":{"name":"task-downsample"},"spec":{"every":"{{ INFLUXMERGED.downsample.so_long_term.resolution }}","name":"test","query":"import \"types\"\n\n\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: -task.every)\n |> filter(fn: (r) => types.isNumeric(v: r._value))\n |> aggregateWindow(every: task.every, fn: mean)\n |> to(bucket: \"telegraf/so_long_term\")"}}] \ No newline at end of file diff --git a/salt/influxdb/templates/security_onion_performance.json b/salt/influxdb/templates/security_onion_performance.json index 9baa33b8d..d1ad8dad7 100644 --- a/salt/influxdb/templates/security_onion_performance.json +++ b/salt/influxdb/templates/security_onion_performance.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IOWait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":30},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Monitor Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":95},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":85},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"mean_kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"viridian","type":"text","hex":"#32B08C"},{"id":"SpQHOj76fJwL4uNUdgA_L","name":"pineapple","type":"text","hex":"#FFB94A","value":85},{"id":"FALp969me_9GTrRtLYaab","name":"ruby","type":"text","hex":"#BF3D5E","value":95}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"RootFS Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"name":"Security Onion Performance"}}] +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IOWait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":30},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Monitor Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":95},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":85},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"viridian","type":"text","hex":"#32B08C"},{"id":"SpQHOj76fJwL4uNUdgA_L","name":"pineapple","type":"text","hex":"#FFB94A","value":85},{"id":"FALp969me_9GTrRtLYaab","name":"ruby","type":"text","hex":"#BF3D5E","value":95}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"RootFS Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"name":"Security Onion Performance"}}] diff --git a/salt/salt/files/influxdb_continuous_query.py.patch b/salt/salt/files/influxdb_continuous_query.py.patch deleted file mode 100644 index 0922342fa..000000000 --- a/salt/salt/files/influxdb_continuous_query.py.patch +++ /dev/null @@ -1,4 +0,0 @@ -56c56 -< database, name, query, resample_time, coverage_period ---- -> database, name, query, resample_time, coverage_period, **client_args diff --git a/salt/salt/files/influxdb_retention_policy.py.patch b/salt/salt/files/influxdb_retention_policy.py.patch deleted file mode 100644 index 917d96a30..000000000 --- a/salt/salt/files/influxdb_retention_policy.py.patch +++ /dev/null @@ -1,16 +0,0 @@ -34c34 -< hours = int(duration.split("h")) ---- -> hours = int(duration.split("h")[0]) -48c48 -< def present(name, database, duration="7d", replication=1, default=False, **client_args): ---- -> def present(name, database, duration="7d", replication=1, default=False, shard_duration="1d", **client_args): -73c73 -< database, name, duration, replication, default, **client_args ---- -> database, name, duration, replication, shard_duration, default, **client_args -113c113 -< database, name, duration, replication, default, **client_args ---- -> database, name, duration, replication, shard_duration, default, **client_args diff --git a/salt/salt/files/influxdbmod.py.patch b/salt/salt/files/influxdbmod.py.patch deleted file mode 100644 index 150fdfe15..000000000 --- a/salt/salt/files/influxdbmod.py.patch +++ /dev/null @@ -1,16 +0,0 @@ -421c421 -< database, name, duration, replication, default=False, **client_args ---- -> database, name, duration, replication, shard_duration, default=False, **client_args -456c456 -< client.create_retention_policy(name, duration, replication, database, default) ---- -> client.create_retention_policy(name, duration, replication, database, default, shard_duration) -462c462 -< database, name, duration, replication, default=False, **client_args ---- -> database, name, duration, replication, shard_duration, default=False, **client_args -498c498 -< client.alter_retention_policy(name, database, duration, replication, default) ---- -> client.alter_retention_policy(name, database, duration, replication, default, shard_duration) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 389a95607..de660d844 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -7,10 +7,6 @@ {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %} {% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %} {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %} - {% set PYTHONINFLUXVERSION = '5.3.1' %} - {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %} - {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %} - {% set PYTHONINSTALLER = 'pip' %} {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% else %} {% set SPLITCHAR = '-' %} @@ -18,10 +14,6 @@ {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %} {% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %} {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %} - {% set PYTHONINFLUXVERSION = '5.3.1' %} - {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %} - {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %} - {% set PYTHONINSTALLER = 'pkg' %} {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 50bb865df..245324473 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -34,21 +34,6 @@ install_salt_minion: exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & - {# if we are the salt master #} - {% if grains.id.split('_')|first == grains.master %} -remove_influxdb_continuous_query_state_file: - file.absent: - - name: /opt/so/state/influxdb_continuous_query.py.patched - -remove_influxdbmod_state_file: - file.absent: - - name: /opt/so/state/influxdbmod.py.patched - -remove_influxdb_retention_policy_state_file: - file.absent: - - name: /opt/so/state/influxdb_retention_policy.py.patched - {% endif %} - {% endif %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} diff --git a/salt/salt/python3-influxdb.sls b/salt/salt/python3-influxdb.sls deleted file mode 100644 index 7a59c4303..000000000 --- a/salt/salt/python3-influxdb.sls +++ /dev/null @@ -1,70 +0,0 @@ -{% from "salt/map.jinja" import SALT_STATE_CODE_PATH with context %} -{% from "salt/map.jinja" import SALT_MODULE_CODE_PATH with context %} -{% from "salt/map.jinja" import PYTHON3INFLUX with context %} -{% from "salt/map.jinja" import PYTHON3INFLUXDEPS with context %} -{% from "salt/map.jinja" import PYTHONINSTALLER with context %} - -include: - - salt.helper-packages - -python3_influxdb_dependencies: - {{PYTHONINSTALLER}}.installed: - - pkgs: {{ PYTHON3INFLUXDEPS }} - -python3_influxdb: - {{PYTHONINSTALLER}}.installed: - - name: {{ PYTHON3INFLUX }} - -# We circumvent the file.patch state putting ERROR in the log by using the unless and file.touch below -# https://github.com/saltstack/salt/pull/47010 and https://github.com/saltstack/salt/issues/52329 - -#https://github.com/saltstack/salt/issues/59766 -influxdb_continuous_query.present_patch: - file.patch: - - name: {{ SALT_STATE_CODE_PATH }}/influxdb_continuous_query.py - - source: salt://salt/files/influxdb_continuous_query.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdb_continuous_query.py.patched - -influxdb_continuous_query.py.patched: - file.touch: - - name: /opt/so/state/influxdb_continuous_query.py.patched - - onchanges: - - file: influxdb_continuous_query.present_patch - -#https://github.com/saltstack/salt/issues/59761 -influxdb_retention_policy.present_patch: - file.patch: - - name: {{ SALT_STATE_CODE_PATH }}/influxdb_retention_policy.py - - source: salt://salt/files/influxdb_retention_policy.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdb_retention_policy.py.patched - -influxdb_retention_policy.py.patched: - file.touch: - - name: /opt/so/state/influxdb_retention_policy.py.patched - - onchanges: - - file: influxdb_retention_policy.present_patch - -# We should be able to set reload_modules: True in this state in order to tell salt to reload its python modules due to us possibly installing -# and possibly modifying modules in this state. This is bugged according to https://github.com/saltstack/salt/issues/24925 -influxdbmod.py_shard_duration_patch: - file.patch: - - name: {{ SALT_MODULE_CODE_PATH }}/influxdbmod.py - - source: salt://salt/files/influxdbmod.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdbmod.py.patched - -influxdbmod.py.patched: - file.touch: - - name: /opt/so/state/influxdbmod.py.patched - - onchanges: - - file: influxdbmod.py_shard_duration_patch - - From 7b3acd53a1e0daeedf569d91143d6e02ecdcdb61 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 09:55:45 -0500 Subject: [PATCH 087/470] upgrade influx --- salt/influxdb/templates/downsample.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/downsample.json b/salt/influxdb/templates/downsample.json index 62484638c..c9926f371 100644 --- a/salt/influxdb/templates/downsample.json +++ b/salt/influxdb/templates/downsample.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Task","metadata":{"name":"task-downsample"},"spec":{"every":"{{ INFLUXMERGED.downsample.so_long_term.resolution }}","name":"test","query":"import \"types\"\n\n\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: -task.every)\n |> filter(fn: (r) => types.isNumeric(v: r._value))\n |> aggregateWindow(every: task.every, fn: mean)\n |> to(bucket: \"telegraf/so_long_term\")"}}] \ No newline at end of file +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Task","metadata":{"name":"task-downsample"},"spec":{"every":"{{ INFLUXMERGED.downsample.so_long_term.resolution }}","name":"Downsample","query":"import \"types\"\n\n\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: -task.every)\n |> filter(fn: (r) => types.isNumeric(v: r._value))\n |> aggregateWindow(every: task.every, fn: mean)\n |> to(bucket: \"telegraf/so_long_term\")"}}] \ No newline at end of file From 40d3269db31984b5826a0ae900ece3f74437cdb7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Feb 2023 09:58:39 -0500 Subject: [PATCH 088/470] Remove 'so-filebeat' from list of trusted containers --- salt/common/tools/sbin/so-image-common | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 945d3f4ed..fb74907bd 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -25,7 +25,6 @@ container_list() { if [ $MANAGERCHECK == 'so-import' ]; then TRUSTED_CONTAINERS=( "so-elasticsearch" - "so-filebeat" "so-idstools" "so-influxdb" "so-kibana" @@ -47,7 +46,6 @@ container_list() { "so-elastic-agent" "so-elastic-agent-builder" "so-elasticsearch" - "so-filebeat" "so-grafana" "so-idh" "so-idstools" @@ -73,7 +71,6 @@ container_list() { ) else TRUSTED_CONTAINERS=( - "so-filebeat" "so-idstools" "so-elasticsearch" "so-logstash" From 1fa8294ee6c96a22e2f004f5aacf49f277d1285f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 14:56:51 -0500 Subject: [PATCH 089/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 78 +++++++++++++++-------- salt/common/tools/sbin/so-user | 9 +++ salt/influxdb/init.sls | 12 ++-- 3 files changed, 70 insertions(+), 29 deletions(-) diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage index 964a1b517..96b0c01f9 100644 --- a/salt/common/tools/sbin/so-influxdb-manage +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -18,6 +18,8 @@ usage() { echo " userenable Enables a user, requires: " echo " userdisable Disables a user, requires: " echo " userpass Updates a user's password, requires: " + echo " userpromote Promotes a user to admin: " + echo " userdemote Demotes a user from admin: " echo "" echo "If required, the password will be read from STDIN." exit 1 @@ -27,13 +29,14 @@ if [ $# -lt 1 ]; then usage fi +COMMAND=$(basename $0) OP=$1 shift set -eo pipefail log() { - echo -e "$(date) | InfluxDB | $@" >&2 + echo -e "$(date) | $COMMAND | $@" >&2 } check_response() { @@ -61,17 +64,6 @@ lookup_user_id() { echo "$uid" } -lookup_org_id() { - response=$(request orgs?limit=100) - check_response "$response" - oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") - if [[ -z "$oid" ]]; then - log "Organization not found" - exit 1 - fi - echo "$oid" -} - lookup_stack_id() { oid=$1 @@ -86,15 +78,6 @@ lookup_stack_id() { echo "$stackid" } -add_user_to_org() { - uid=$1 - oid=$2 - - log "Adding new user to organization" - response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}") - check_response "$response" -} - change_password() { uid=$1 @@ -137,6 +120,30 @@ setup_bucket() { check_response "$response" } +lookup_org_id_with_wait() { + max_attempts=30 + attempts=0 + wait=10 + while [[ $attempts -lt $max_attempts ]]; do + response=$(request orgs?org=Security+Onion) + check_response "$response" + oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") + if [[ -z $oid ]]; then + attempts=$((attempts+1)) + log "Server does not appear to be running or fully initialized - will try again in $wait seconds ($attempts / $max_attempts)" + sleep $wait + else + echo "$oid" + return + fi + done + + log "Server has not started after $max_attempts attempts - aborting" + exit 1 +} + +oid=$(lookup_org_id_with_wait) + case "$OP" in setup) @@ -146,7 +153,6 @@ case "$OP" in newest=$(ls -1t /opt/so/conf/influxdb/templates/ | head -1) if [ /opt/so/conf/influxdb/templates/$newest -nt /opt/so/conf/influxdb/last_template_setup ]; then log "Updating templates" - oid=$(lookup_org_id) stackid=$(lookup_stack_id "$oid") for file in /opt/so/conf/influxdb/templates/*; do if [[ "$templates_array" != "" ]]; then @@ -164,7 +170,6 @@ case "$OP" in # Setup buckets and retention periods if at least one has been modified since the last setup if [ /opt/so/conf/influxdb/buckets.json -nt /opt/so/conf/influxdb/last_bucket_setup ]; then log "Updating buckets and retention periods" - oid=$(lookup_org_id) for rp in so_short_term so_long_term; do bucket=telegraf/$rp log "Ensuring bucket is created and configured; bucket=$bucket" @@ -189,11 +194,14 @@ case "$OP" in [ $# -ne 1 ] && usage email=$1 log "Adding new user; email=$email" - oid=$(lookup_org_id) response=$(request users -X POST -d "{\"name\":\"$email\"}") check_response "$response" uid=$(echo "$response" | jq -r .id) - add_user_to_org "$uid" "$oid" + + log "Adding new user to organization" + response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}") + check_response "$response" + change_password "$uid" ;; @@ -232,6 +240,26 @@ case "$OP" in check_response "$response" ;; + userpromote) + [ $# -ne 1 ] && usage + email=$1 + log "Promoting user to admin; email=$email" + uid=$(lookup_user_id "$email") + response=$(request orgs/$oid/members/$uid -X DELETE) + response=$(request orgs/$oid/owners -X POST -d "{\"id\":\"$uid\"}") + check_response "$response" + ;; + + userdemote) + [ $# -ne 1 ] && usage + email=$1 + log "Demoting user from admin; email=$email" + uid=$(lookup_user_id "$email") + response=$(request orgs/$oid/owners/$uid -X DELETE) + response=$(request orgs/$oid/members -X POST -d "{\"id\":\"$uid\"}") + check_response "$response" + ;; + *) usage ;; diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index da6f3a4fb..4ad3983b4 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -588,6 +588,9 @@ case "${operation}" in syncAll echo "Successfully added new user to SOC" echo "$password" | so-influxdb-manage useradd "$email" + if [[ "$role" == "superuser" ]]; then + echo "$password" | so-influxdb-manage userpromote "$email" + fi ;; "list") @@ -605,6 +608,9 @@ case "${operation}" in if addUserRole "$email" "$role"; then syncElastic echo "Successfully added role to user" + if [[ "$role" == "superuser" ]]; then + echo "$password" | so-influxdb-manage userpromote "$email" + fi fi ;; @@ -618,6 +624,9 @@ case "${operation}" in deleteUserRole "$email" "$role" syncElastic echo "Successfully removed role from user" + if [[ "$role" == "superuser" ]]; then + echo "$password" | so-influxdb-manage userdemote "$email" + fi ;; "password") diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index ff6466bb4..4872a5a40 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -71,10 +71,6 @@ influxdb_curl_config: - show_changes: False - makedirs: True -influxdb-setup: - cmd.run: - - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log - so-influxdb: docker_container.running: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} @@ -113,6 +109,14 @@ append_so-influxdb_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-influxdb +influxdb-setup: + cmd.run: + - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log + - require: + - file: influxdbbucketsconf + - file: influxdb_curl_conf + - docker_container: so-influxdb + # Install cron job to determine size of influxdb for telegraf get_influxdb_size: cron.present: From e3ca0345a84068d765b3b382c3cfd4469f8c44eb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 15:41:37 -0500 Subject: [PATCH 090/470] upgrade influx --- salt/influxdb/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 4872a5a40..f40b1b669 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -114,7 +114,7 @@ influxdb-setup: - name: /usr/sbin/so-influxdb-manage setup &>> /opt/so/log/influxdb/setup.log - require: - file: influxdbbucketsconf - - file: influxdb_curl_conf + - file: influxdb_curl_config - docker_container: so-influxdb # Install cron job to determine size of influxdb for telegraf From 0890129c6971c209a99150424c30cd4f0f530681 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 19:30:10 -0500 Subject: [PATCH 091/470] influx upgrade --- salt/influxdb/templates/alarm_deadman.json | 18 +++++++++++ salt/influxdb/templates/alarm_nsm_disk.json | 32 +++++++++++++++++++ salt/influxdb/templates/alarm_root_disk.json | 32 +++++++++++++++++++ .../dashboard-security_onion_performance.json | 1 + .../templates/security_onion_performance.json | 1 - ...container.json => variable-container.json} | 0 .../{host.json => variable-host.json} | 0 .../{role.json => variable-role.json} | 0 8 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 salt/influxdb/templates/alarm_deadman.json create mode 100644 salt/influxdb/templates/alarm_nsm_disk.json create mode 100644 salt/influxdb/templates/alarm_root_disk.json create mode 100644 salt/influxdb/templates/dashboard-security_onion_performance.json delete mode 100644 salt/influxdb/templates/security_onion_performance.json rename salt/influxdb/templates/{container.json => variable-container.json} (100%) rename salt/influxdb/templates/{host.json => variable-host.json} (100%) rename salt/influxdb/templates/{role.json => variable-role.json} (100%) diff --git a/salt/influxdb/templates/alarm_deadman.json b/salt/influxdb/templates/alarm_deadman.json new file mode 100644 index 000000000..6ea0e1ad7 --- /dev/null +++ b/salt/influxdb/templates/alarm_deadman.json @@ -0,0 +1,18 @@ +{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckDeadman", + "metadata": { + "name": "alarm-deadman" + }, + "spec": { + "description": "Data has not been received from Telegraf for an extended period.", + "every": "1m0s", + "level": "CRIT", + "name": "Telegraf Data Outage", + "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")", + "staleTime": "15m0s", + "status": "active", + "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }", + "timeSince": "2m0s" + } +} \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_nsm_disk.json b/salt/influxdb/templates/alarm_nsm_disk.json new file mode 100644 index 000000000..5c8f87cfc --- /dev/null +++ b/salt/influxdb/templates/alarm_nsm_disk.json @@ -0,0 +1,32 @@ +{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "alarm-nsm-disk" + }, + "spec": { + "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "every": "1m0s", + "name": "NSM Disk High Usage", + "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")", + "status": "active", + "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 95 + }, + { + "level": "INFO", + "type": "greater", + "value": 85 + }, + { + "level": "WARN", + "type": "greater", + "value": 90 + } + ] + } +} \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_root_disk.json b/salt/influxdb/templates/alarm_root_disk.json new file mode 100644 index 000000000..a13cbcd3d --- /dev/null +++ b/salt/influxdb/templates/alarm_root_disk.json @@ -0,0 +1,32 @@ +{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "alarm-root-disk" + }, + "spec": { + "description": "Percent used space on the root partition of at least one node has exceeded the alarm threshold.", + "every": "1m0s", + "name": "Root Disk High Usage", + "query": "from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> aggregateWindow(every: 1m, fn: max, createEmpty: false)\n |> yield(name: \"max\")", + "status": "active", + "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }", + "thresholds": [ + { + "level": "CRIT", + "type": "greater", + "value": 95 + }, + { + "level": "INFO", + "type": "greater", + "value": 85 + }, + { + "level": "WARN", + "type": "greater", + "value": 90 + } + ] + } +} \ No newline at end of file diff --git a/salt/influxdb/templates/dashboard-security_onion_performance.json b/salt/influxdb/templates/dashboard-security_onion_performance.json new file mode 100644 index 000000000..9057d1078 --- /dev/null +++ b/salt/influxdb/templates/dashboard-security_onion_performance.json @@ -0,0 +1 @@ +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"ruby","type":"text","hex":"#BF3D5E","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Critical Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"crit\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"yPos":2},{"colors":[{"id":"base","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QCTYWuGuHkikYFsZSKMzQ","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QdpMyTRBb0LJ56-P5wfAW","name":"laser","type":"text","hex":"#00C9FF","value":1},{"id":"VQGwCoMrxZyP8asiOW5Cq","name":"tiger","type":"text","hex":"#F48D38","value":2},{"id":"zSO9QkesSIxrU_ntCBx2i","name":"ruby","type":"text","hex":"#BF3D5E","value":3}],"fieldOptions":[{"fieldName":"_time","visible":true},{"displayName":"Alarm","fieldName":"_check_name","visible":true},{"displayName":"Severity","fieldName":"_value","visible":true},{"displayName":"Status","fieldName":"_level","visible":true}],"height":6,"kind":"Table","name":"Alarm Status","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> drop(columns: [\"_value\"])\n |> duplicate(column: \"_level\", as: \"_value\")\n |> map(fn: (r) => ({ r with _value: if r._value == \"ok\" then 0 else if r._value == \"info\" then 1 else if r._value == \"warn\" then 2 else 3 }))\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> keep(columns: [\"_check_name\",\"_level\",\"_value\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"_check_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"yPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"tiger","type":"text","hex":"#F48D38","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Warning Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"warn\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":1,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IO Wait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"laser","type":"text","hex":"#00C9FF","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Informative Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"info\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":2,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"kOQLOg2H4FVEE-E1_L8Kq","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"5IArg2lDb8KvnphywgUXa","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Root Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xPos":4,"yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Drops","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"H7uprvKmMEh39en6X-ms_","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"colors":[{"id":"base","name":"white","type":"text","hex":"#ffffff"}],"fieldOptions":[{"displayName":"Host","fieldName":"host","visible":true},{"displayName":"Name","fieldName":"container_name","visible":true},{"displayName":"Status","fieldName":"container_status","visible":true},{"displayName":"OOM Killed","fieldName":"_value","visible":true},{"displayName":"_start","fieldName":"_start","visible":true},{"displayName":"_stop","fieldName":"_stop","visible":true},{"displayName":"_time","fieldName":"_time","visible":true},{"displayName":"_field","fieldName":"_field","visible":true},{"displayName":"_measurement","fieldName":"_measurement","visible":true},{"displayName":"engine_host","fieldName":"engine_host","visible":true},{"displayName":"role","fieldName":"role","visible":true},{"displayName":"server_version","fieldName":"server_version","visible":true},{"displayName":"container_image","fieldName":"container_image","visible":true},{"displayName":"container_version","fieldName":"container_version","visible":true},{"displayName":"description","fieldName":"description","visible":true},{"displayName":"maintainer","fieldName":"maintainer","visible":true},{"displayName":"io.k8s.description","fieldName":"io.k8s.description","visible":true},{"displayName":"io.k8s.display-name","fieldName":"io.k8s.display-name","visible":true},{"displayName":"license","fieldName":"license","visible":true},{"displayName":"name","fieldName":"name","visible":true},{"displayName":"org.label-schema.build-date","fieldName":"org.label-schema.build-date","visible":true},{"displayName":"org.label-schema.license","fieldName":"org.label-schema.license","visible":true},{"displayName":"org.label-schema.name","fieldName":"org.label-schema.name","visible":true},{"displayName":"org.label-schema.schema-version","fieldName":"org.label-schema.schema-version","visible":true},{"displayName":"org.label-schema.url","fieldName":"org.label-schema.url","visible":true},{"displayName":"org.label-schema.vcs-ref","fieldName":"org.label-schema.vcs-ref","visible":true},{"displayName":"org.label-schema.vcs-url","fieldName":"org.label-schema.vcs-url","visible":true},{"displayName":"org.label-schema.vendor","fieldName":"org.label-schema.vendor","visible":true},{"displayName":"org.label-schema.version","fieldName":"org.label-schema.version","visible":true},{"displayName":"org.opencontainers.image.created","fieldName":"org.opencontainers.image.created","visible":true},{"displayName":"org.opencontainers.image.licenses","fieldName":"org.opencontainers.image.licenses","visible":true},{"displayName":"org.opencontainers.image.title","fieldName":"org.opencontainers.image.title","visible":true},{"displayName":"org.opencontainers.image.vendor","fieldName":"org.opencontainers.image.vendor","visible":true},{"displayName":"release","fieldName":"release","visible":true},{"displayName":"summary","fieldName":"summary","visible":true},{"displayName":"url","fieldName":"url","visible":true},{"displayName":"vendor","fieldName":"vendor","visible":true},{"displayName":"version","fieldName":"version","visible":true},{"displayName":"org.label-schema.usage","fieldName":"org.label-schema.usage","visible":true},{"displayName":"org.opencontainers.image.documentation","fieldName":"org.opencontainers.image.documentation","visible":true},{"displayName":"org.opencontainers.image.revision","fieldName":"org.opencontainers.image.revision","visible":true},{"displayName":"org.opencontainers.image.source","fieldName":"org.opencontainers.image.source","visible":true},{"displayName":"org.opencontainers.image.url","fieldName":"org.opencontainers.image.url","visible":true},{"displayName":"org.opencontainers.image.version","fieldName":"org.opencontainers.image.version","visible":true},{"displayName":"org.opencontainers.image.description","fieldName":"org.opencontainers.image.description","visible":true}],"height":4,"kind":"Table","name":"Troubled Containers","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"oomkilled\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"container_image\", \"host\"])\n |> last()\n |> group()\n |> keep(columns: [\"_value\", \"container_name\", \"host\"])\n |> filter(fn: (r) => r[\"container_status\"] != \"running\")"}],"staticLegend":{},"tableOptions":{"sortBy":"container_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"xPos":9,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"description":"Visualize the Security Onion grid performance metrics and alarm statuses.","name":"Security Onion Performance"}}] \ No newline at end of file diff --git a/salt/influxdb/templates/security_onion_performance.json b/salt/influxdb/templates/security_onion_performance.json deleted file mode 100644 index d1ad8dad7..000000000 --- a/salt/influxdb/templates/security_onion_performance.json +++ /dev/null @@ -1 +0,0 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IOWait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":30},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Monitor Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":95},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":85},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"viridian","type":"text","hex":"#32B08C"},{"id":"SpQHOj76fJwL4uNUdgA_L","name":"pineapple","type":"text","hex":"#FFB94A","value":85},{"id":"FALp969me_9GTrRtLYaab","name":"ruby","type":"text","hex":"#BF3D5E","value":95}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"RootFS Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"name":"Security Onion Performance"}}] diff --git a/salt/influxdb/templates/container.json b/salt/influxdb/templates/variable-container.json similarity index 100% rename from salt/influxdb/templates/container.json rename to salt/influxdb/templates/variable-container.json diff --git a/salt/influxdb/templates/host.json b/salt/influxdb/templates/variable-host.json similarity index 100% rename from salt/influxdb/templates/host.json rename to salt/influxdb/templates/variable-host.json diff --git a/salt/influxdb/templates/role.json b/salt/influxdb/templates/variable-role.json similarity index 100% rename from salt/influxdb/templates/role.json rename to salt/influxdb/templates/variable-role.json From d15158e77a2adbbe68295cf702801cf9e8c40cd4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 13 Feb 2023 20:52:12 -0500 Subject: [PATCH 092/470] influx upgrade --- salt/influxdb/templates/alarm_deadman.json | 4 ++-- salt/influxdb/templates/alarm_nsm_disk.json | 4 ++-- salt/influxdb/templates/alarm_root_disk.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/influxdb/templates/alarm_deadman.json b/salt/influxdb/templates/alarm_deadman.json index 6ea0e1ad7..cd538ad9e 100644 --- a/salt/influxdb/templates/alarm_deadman.json +++ b/salt/influxdb/templates/alarm_deadman.json @@ -1,4 +1,4 @@ -{ +[{ "apiVersion": "influxdata.com/v2alpha1", "kind": "CheckDeadman", "metadata": { @@ -15,4 +15,4 @@ "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }", "timeSince": "2m0s" } -} \ No newline at end of file +}] \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_nsm_disk.json b/salt/influxdb/templates/alarm_nsm_disk.json index 5c8f87cfc..691f8c0e8 100644 --- a/salt/influxdb/templates/alarm_nsm_disk.json +++ b/salt/influxdb/templates/alarm_nsm_disk.json @@ -1,4 +1,4 @@ -{ +[{ "apiVersion": "influxdata.com/v2alpha1", "kind": "CheckThreshold", "metadata": { @@ -29,4 +29,4 @@ } ] } -} \ No newline at end of file +}] \ No newline at end of file diff --git a/salt/influxdb/templates/alarm_root_disk.json b/salt/influxdb/templates/alarm_root_disk.json index a13cbcd3d..19d5f065c 100644 --- a/salt/influxdb/templates/alarm_root_disk.json +++ b/salt/influxdb/templates/alarm_root_disk.json @@ -1,4 +1,4 @@ -{ +[{ "apiVersion": "influxdata.com/v2alpha1", "kind": "CheckThreshold", "metadata": { @@ -29,4 +29,4 @@ } ] } -} \ No newline at end of file +}] \ No newline at end of file From b2d85b843ff59f8959b33ddb0ab9f250b4a53e37 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 09:00:10 -0500 Subject: [PATCH 093/470] reposync --- salt/common/tools/sbin/so-common | 14 +++++++++----- salt/common/tools/sbin/so-repo-sync | 16 ++++++++++++++++ setup/so-functions | 2 ++ 3 files changed, 27 insertions(+), 5 deletions(-) create mode 100644 salt/common/tools/sbin/so-repo-sync diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c4a3fdbaf..01e278a6a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -366,12 +366,16 @@ run_check_net_err() { fi } +salt_minion_count() + local MINIONDIR="/opt/so/saltstack/local/pillar/minions" + MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep sls | wc -l) + set_cron_service_name() { - if [[ "$OS" == "centos" ]]; then - cron_service_name="crond" - else - cron_service_name="cron" - fi + if [[ "$OS" == "centos" ]]; then + cron_service_name="crond" + else + cron_service_name="cron" + fi } set_os() { diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync new file mode 100644 index 000000000..67adb46ff --- /dev/null +++ b/salt/common/tools/sbin/so-repo-sync @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +set_version +set_os +salt_minion_count + +curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup" +reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" + \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 0dc4751bd..80ddfd68a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1973,6 +1973,8 @@ repo_sync_local() { info "We have what we need to sync" fi + # Make sure we can get to the sig repo + logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" From 89bd9163fbf76acfe2949c81a2ad16de84897cd9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 10:08:34 -0500 Subject: [PATCH 094/470] reposync attempt for reocky --- salt/common/tools/sbin/so-common | 12 +++--- .../client/files/rocky/RPM-GPG-KEY-EPEL-9 | 29 +++++++++++++ .../client/files/rocky/SALTSTACK-GPG-KEY2.pub | 31 +++++++++++++ setup/so-functions | 43 ++++++++----------- 4 files changed, 83 insertions(+), 32 deletions(-) create mode 100644 salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 create mode 100644 salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 01e278a6a..fbe9a9700 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -187,14 +187,14 @@ get_random_value() { } gpg_rpm_import() { - if [[ "$OS" == "centos" ]]; then + if [[ "$OS" == "rocky" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then - local RPMKEYSLOC="../salt/repo/client/files/centos/keys" + local RPMKEYSLOC="../salt/repo/client/files/rocky/keys" else - local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys" + local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys" fi - RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') + RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALTSTACK-GPG-KEY2.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY @@ -371,7 +371,7 @@ salt_minion_count() MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep sls | wc -l) set_cron_service_name() { - if [[ "$OS" == "centos" ]]; then + if [[ "$OS" == "rocky" ]]; then cron_service_name="crond" else cron_service_name="cron" @@ -380,7 +380,7 @@ set_cron_service_name() { set_os() { if [ -f /etc/redhat-release ]; then - OS=centos + OS=rocky else OS=ubuntu fi diff --git a/salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 b/salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 new file mode 100644 index 000000000..0cc05ecb3 --- /dev/null +++ b/salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGE3mOsBEACsU+XwJWDJVkItBaugXhXIIkb9oe+7aadELuVo0kBmc3HXt/Yp +CJW9hHEiGZ6z2jwgPqyJjZhCvcAWvgzKcvqE+9i0NItV1rzfxrBe2BtUtZmVcuE6 +2b+SPfxQ2Hr8llaawRjt8BCFX/ZzM4/1Qk+EzlfTcEcpkMf6wdO7kD6ulBk/tbsW +DHX2lNcxszTf+XP9HXHWJlA2xBfP+Dk4gl4DnO2Y1xR0OSywE/QtvEbN5cY94ieu +n7CBy29AleMhmbnx9pw3NyxcFIAsEZHJoU4ZW9ulAJ/ogttSyAWeacW7eJGW31/Z +39cS+I4KXJgeGRI20RmpqfH0tuT+X5Da59YpjYxkbhSK3HYBVnNPhoJFUc2j5iKy +XLgkapu1xRnEJhw05kr4LCbud0NTvfecqSqa+59kuVc+zWmfTnGTYc0PXZ6Oa3rK +44UOmE6eAT5zd/ToleDO0VesN+EO7CXfRsm7HWGpABF5wNK3vIEF2uRr2VJMvgqS +9eNwhJyOzoca4xFSwCkc6dACGGkV+CqhufdFBhmcAsUotSxe3zmrBjqA0B/nxIvH +DVgOAMnVCe+Lmv8T0mFgqZSJdIUdKjnOLu/GRFhjDKIak4jeMBMTYpVnU+HhMHLq +uDiZkNEvEEGhBQmZuI8J55F/a6UURnxUwT3piyi3Pmr2IFD7ahBxPzOBCQARAQAB +tCdGZWRvcmEgKGVwZWw5KSA8ZXBlbEBmZWRvcmFwcm9qZWN0Lm9yZz6JAk4EEwEI +ADgWIQT/itE0RZcQbs6BO5GKOHK/MihGfAUCYTeY6wIbDwULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRCKOHK/MihGfFX/EACBPWv20+ttYu1A5WvtHJPzwbj0U4yF +3zTQpBglQ2UfkRpYdipTlT3Ih6j5h2VmgRPtINCc/ZE28adrWpBoeFIS2YAKOCLC +nZYtHl2nCoLq1U7FSttUGsZ/t8uGCBgnugTfnIYcmlP1jKKA6RJAclK89evDQX5n +R9ZD+Cq3CBMlttvSTCht0qQVlwycedH8iWyYgP/mF0W35BIn7NuuZwWhgR00n/VG +4nbKPOzTWbsP45awcmivdrS74P6mL84WfkghipdmcoyVb1B8ZP4Y/Ke0RXOnLhNe +CfrXXvuW+Pvg2RTfwRDtehGQPAgXbmLmz2ZkV69RGIr54HJv84NDbqZovRTMr7gL +9k3ciCzXCiYQgM8yAyGHV0KEhFSQ1HV7gMnt9UmxbxBE2pGU7vu3CwjYga5DpwU7 +w5wu1TmM5KgZtZvuWOTDnqDLf0cKoIbW8FeeCOn24elcj32bnQDuF9DPey1mqcvT +/yEo/Ushyz6CVYxN8DGgcy2M9JOsnmjDx02h6qgWGWDuKgb9jZrvRedpAQCeemEd +fhEs6ihqVxRFl16HxC4EVijybhAL76SsM2nbtIqW1apBQJQpXWtQwwdvgTVpdEtE +r4ArVJYX5LrswnWEQMOelugUG6S3ZjMfcyOa/O0364iY73vyVgaYK+2XtT2usMux +VL469Kj5m13T6w== +=Mjs/ +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub b/salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub new file mode 100644 index 000000000..bfc7fc267 --- /dev/null +++ b/salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBGLXV/8BCADCuomk2pibSOuLQeKMIwV3Afy60080hykdc4tU4qQS+zBJZZC0 +VBl2TAOmMWyeY5DRF2ibRTx6Ap8qYefuEjWlo2WHWWZH4WhNkJWL3aWiu8Ga+fFo +ebjoUFLGgpKDGKveO9PF8A41IP1CLvDicpWXTxfqzQKDOvg3g5EmCx+5ksviXHJ1 +lY5CBbhVPmU3ruzGBqN/6B90VyTicbIyIZKZdnElAqaW6OiEaOmj2Oadi3ARJLWA +8rpVPweZE0/S4B5UIuMh+JVJU3Os1BUXHKN3LAPENZa1NNYX3j53GxGMf+SAKe0g +QHe+fHiiB7a6iBl09W8cUJh8HINXW+vvU6mZABEBAAG0MlNhbHRTdGFjayBQYWNr +YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQFSBBMBCAA8FiEE +9+rekz4krjI0B2hWN6cQR50w17YFAmLXV/8CGwMFCwkIBwIDIgIBBhUKCQgLAgQW +AgMBAh4HAheAAAoJEDenEEedMNe2d0MH/36khQzCWMc5ezznO7bcOHOS3OWjQveF +Vv60y54QRnINCEa7w7ckjiap3dUSJxTo5eoAKNbgX5SgrshEY1HDXDoqgumHJLFW +J+L4f3CXFBhvObUOwB7ApUNHURcoNQYK7kS/vUJrQ3dFyT7uvgysGtv+/WpboY1s +ScJnVtWyQmLe7qj5pJ0aI5pPjFnP9869zPScNb6o6lbqGp/xhnL5NkZCF0DNgItw +HXyNsRPyc8JG+P+GP80XWZ37ajEdwkiPbtu3CD5pvBO1w5FPLBwuH5CSgQFEcA4V +QH8ThU0P1IhKe3xPRNgawcBTAHXqOD0OxilAIsQdfrKkRiTEcZtFZW25AQ0EYtdX +/wEIANFBzJfSks4ti/JQkECtEAwH7OtqUxu1QhSSRusGsQu/PpjBRZzlaVlKjS4c +fGTiZ8+25RX063vBQ+XpuTN9T9boEE4EywM11FCx1zRZIc+HlLOIJ10uKWUapmPM ++7flnQWXMgJzP47rHe0ofEHlP4/av5C1imgWEtEpYyn1B4qgSxvLFDq46rD5m+DP +2xNZbwWd0uSAG/wZNonVkISYymB0UTnUm8FABH1Ci7lXO9JnuW+IvVt32C5VibGy +FXdAJGmIiqsvBhJSUl+GJhO6NTXntuevqPLUXD9PuHWo4Vo1Afek8kqZByyiyrTZ +StDhrbo/8dSAVQMibLEfNS7R0QkAEQEAAYkBNgQYAQgAIBYhBPfq3pM+JK4yNAdo +VjenEEedMNe2BQJi11f/AhsMAAoJEDenEEedMNe2zhgH/0wxbQpaCho0BRbUbe6L +jm9r3yTWn6M+yYv+cBeH9sbobIVOqTvZcawzTEPWa+eVbKgkqhZjUTyfFDpjq9s6 +67zLZnCh85hLoyieSQBER59dc1pmqZJP3VrAIT1lGKMIdjZoN8JAF8IbmJHE1j65 +iZZdhbxfFHnDx22gQ+3nfniTNTWsfVAQeoAjeOuakPKdfUEMsXPBhtBBuFY4NcrT +TIsBevT4J/STCLkEqlMtYC8ldxUCZqQXdtxqltC4k+y0kp4PmNc3/Vmp65oAeuxI +d8TNwgZdamdinv5mPrTfBqSNiELQAcPQnOwpsqEDYF2pq9L4sdNGavP5ZvPGRLkH ++uU= +=383D +-----END PGP PUBLIC KEY BLOCK----- diff --git a/setup/so-functions b/setup/so-functions index 80ddfd68a..fd1fc4b2d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -886,19 +886,13 @@ detect_cloud() { detect_os() { title "Detecting Base OS" if [ -f /etc/redhat-release ]; then - if grep -q "CentOS Linux release 7" /etc/redhat-release; then - OS=centos - OSVER=7 - is_centos=true - pkgman="yum" - elif grep -q "Rocky Linux release 8" /etc/redhat-release; then + if grep -q "Rocky Linux release 9" /etc/redhat-release; then OS=rocky - OSVER=8 + OSVER=9 is_rocky=true pkgman="dnf" - info "We currently do not support Rocky Linux $OSVER but we are working on it!" else - info "We do not support the version of CentOS you are trying to use." + info "We do not support the operating system you are trying to use." exit 1 fi @@ -932,13 +926,10 @@ installer_progress_loop() { } installer_prereq_packages() { - if [ "$OS" == centos ]; then + if [ "$OS" == rocky ]; then if [[ ! $is_iso ]]; then - if ! yum versionlock > /dev/null 2>&1; then - logCmd "yum -y install yum-plugin-versionlock" - fi if ! command -v nmcli > /dev/null 2>&1; then - logCmd "yum -y install NetworkManager" + logCmd "dnf -y install NetworkManager" fi fi logCmd "systemctl enable NetworkManager" @@ -1715,7 +1706,7 @@ proxy_validate() { } reserve_group_ids() { - # This is a hack to fix CentOS from taking group IDs that we need + # This is a hack to fix OS from taking group IDs that we need logCmd "groupadd -g 928 kratos" logCmd "groupadd -g 930 elasticsearch" logCmd "groupadd -g 931 logstash" @@ -1837,8 +1828,8 @@ reset_proxy() { [[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig - if [[ $is_centos ]]; then - sed -i "/proxy=/d" /etc/yum.conf + if [[ $is_rocky ]]; then + sed -i "/proxy=/d" /etc/dnf/dnf.conf else [[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf fi @@ -1881,9 +1872,9 @@ drop_install_options() { remove_package() { local package_name=$1 - if [[ $is_centos ]]; then + if [[ $is_rocky ]]; then if rpm -qa | grep -q "$package_name"; then - logCmd "yum remove -y $package_name" + logCmd "dnf remove -y $package_name" fi else if dpkg -l | grep -q "$package_name"; then @@ -1908,7 +1899,7 @@ securityonion_repo() { echo "Syncing Repo" repo_sync_local fi - logCmd "yum -v clean all" + logCmd "dnf -v clean all" logCmd "mkdir -vp /root/oldrepos" logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" logCmd "ls -la /etc/yum.repos.d/" @@ -1928,13 +1919,13 @@ securityonion_repo() { fi # need to yum clean all before repo conf files are removed or clean,cleans nothing - logCmd "yum repolist all" + logCmd "dnf repolist all" # update this package because the repo config files get added back # if the package is updated when the update_packages function is called - logCmd "yum -v -y update centos-release" + logCmd "dnf -v -y update rocky-release" info "Backing up the .repo files that were added by the centos-release package." - logCmd "mv -bvf /etc/yum.repos.d/CentOS* /root/oldrepos/" - logCmd "yum repolist all" + logCmd "mv -bvf /etc/yum.repos.d/rocky* /root/oldrepos/" + logCmd "dnf repolist all" fi } @@ -1968,14 +1959,14 @@ repo_sync_local() { if [[ ! "$REPOSYNC" -gt 0 ]]; then # Install reposync info "Installing createrepo" - logCmd "yum -y install -c /root/repodownload.conf yum-utils createrepo" + logCmd "dnf -y install -c /root/repodownload.conf createrepo" else info "We have what we need to sync" fi # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/checkup --output /tmp/checkup" - logCmd "reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # After the download is complete run createrepo From 4741038a41fc45283871d05204be4bcbb4cbc244 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 10:15:35 -0500 Subject: [PATCH 095/470] fix function --- salt/common/tools/sbin/so-common | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index fbe9a9700..d66a6cc6f 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -366,10 +366,12 @@ run_check_net_err() { fi } -salt_minion_count() +salt_minion_count() { local MINIONDIR="/opt/so/saltstack/local/pillar/minions" MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep sls | wc -l) +} + set_cron_service_name() { if [[ "$OS" == "rocky" ]]; then cron_service_name="crond" From 1fa526cd0e4e42b012d09f3f71694d1e0da116e6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 14 Feb 2023 11:22:54 -0500 Subject: [PATCH 096/470] influx upgrade --- .../templates/alarm_logstash_eps.json | 21 +++++++++++++++++++ .../dashboard-security_onion_performance.json | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 salt/influxdb/templates/alarm_logstash_eps.json diff --git a/salt/influxdb/templates/alarm_logstash_eps.json b/salt/influxdb/templates/alarm_logstash_eps.json new file mode 100644 index 000000000..2d70eaf11 --- /dev/null +++ b/salt/influxdb/templates/alarm_logstash_eps.json @@ -0,0 +1,21 @@ +[{ + "apiVersion": "influxdata.com/v2alpha1", + "kind": "CheckThreshold", + "metadata": { + "name": "alarm-logstash-eps" + }, + "spec": { + "every": "1m0s", + "name": "Logstash EPS at 0", + "query": "from(bucket: \"telegraf/so_short_term\")\n |\u003e range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |\u003e filter(fn: (r) =\u003e r[\"_measurement\"] == \"logstash_events\")\n |\u003e filter(fn: (r) =\u003e r[\"_field\"] == \"in\")\n |\u003e aggregateWindow(every: 1m, fn: mean, createEmpty: false)\n |\u003e yield(name: \"mean\")", + "status": "active", + "statusMessageTemplate": "Check: ${ r._check_name } is: ${ r._level }", + "thresholds": [ + { + "level": "CRIT", + "type": "lesser", + "value": 1 + } + ] + } +}] \ No newline at end of file diff --git a/salt/influxdb/templates/dashboard-security_onion_performance.json b/salt/influxdb/templates/dashboard-security_onion_performance.json index 9057d1078..c6a30ed95 100644 --- a/salt/influxdb/templates/dashboard-security_onion_performance.json +++ b/salt/influxdb/templates/dashboard-security_onion_performance.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"ruby","type":"text","hex":"#BF3D5E","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Critical Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"crit\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"yPos":2},{"colors":[{"id":"base","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QCTYWuGuHkikYFsZSKMzQ","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QdpMyTRBb0LJ56-P5wfAW","name":"laser","type":"text","hex":"#00C9FF","value":1},{"id":"VQGwCoMrxZyP8asiOW5Cq","name":"tiger","type":"text","hex":"#F48D38","value":2},{"id":"zSO9QkesSIxrU_ntCBx2i","name":"ruby","type":"text","hex":"#BF3D5E","value":3}],"fieldOptions":[{"fieldName":"_time","visible":true},{"displayName":"Alarm","fieldName":"_check_name","visible":true},{"displayName":"Severity","fieldName":"_value","visible":true},{"displayName":"Status","fieldName":"_level","visible":true}],"height":6,"kind":"Table","name":"Alarm Status","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> drop(columns: [\"_value\"])\n |> duplicate(column: \"_level\", as: \"_value\")\n |> map(fn: (r) => ({ r with _value: if r._value == \"ok\" then 0 else if r._value == \"info\" then 1 else if r._value == \"warn\" then 2 else 3 }))\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> keep(columns: [\"_check_name\",\"_level\",\"_value\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"_check_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"yPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> yield(name: \"last\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"tiger","type":"text","hex":"#F48D38","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Warning Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"warn\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":1,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IO Wait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"laser","type":"text","hex":"#00C9FF","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Informative Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"info\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":2,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"kOQLOg2H4FVEE-E1_L8Kq","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"5IArg2lDb8KvnphywgUXa","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Root Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: last, createEmpty: true)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"last\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xPos":4,"yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Drops","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"H7uprvKmMEh39en6X-ms_","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"colors":[{"id":"base","name":"white","type":"text","hex":"#ffffff"}],"fieldOptions":[{"displayName":"Host","fieldName":"host","visible":true},{"displayName":"Name","fieldName":"container_name","visible":true},{"displayName":"Status","fieldName":"container_status","visible":true},{"displayName":"OOM Killed","fieldName":"_value","visible":true},{"displayName":"_start","fieldName":"_start","visible":true},{"displayName":"_stop","fieldName":"_stop","visible":true},{"displayName":"_time","fieldName":"_time","visible":true},{"displayName":"_field","fieldName":"_field","visible":true},{"displayName":"_measurement","fieldName":"_measurement","visible":true},{"displayName":"engine_host","fieldName":"engine_host","visible":true},{"displayName":"role","fieldName":"role","visible":true},{"displayName":"server_version","fieldName":"server_version","visible":true},{"displayName":"container_image","fieldName":"container_image","visible":true},{"displayName":"container_version","fieldName":"container_version","visible":true},{"displayName":"description","fieldName":"description","visible":true},{"displayName":"maintainer","fieldName":"maintainer","visible":true},{"displayName":"io.k8s.description","fieldName":"io.k8s.description","visible":true},{"displayName":"io.k8s.display-name","fieldName":"io.k8s.display-name","visible":true},{"displayName":"license","fieldName":"license","visible":true},{"displayName":"name","fieldName":"name","visible":true},{"displayName":"org.label-schema.build-date","fieldName":"org.label-schema.build-date","visible":true},{"displayName":"org.label-schema.license","fieldName":"org.label-schema.license","visible":true},{"displayName":"org.label-schema.name","fieldName":"org.label-schema.name","visible":true},{"displayName":"org.label-schema.schema-version","fieldName":"org.label-schema.schema-version","visible":true},{"displayName":"org.label-schema.url","fieldName":"org.label-schema.url","visible":true},{"displayName":"org.label-schema.vcs-ref","fieldName":"org.label-schema.vcs-ref","visible":true},{"displayName":"org.label-schema.vcs-url","fieldName":"org.label-schema.vcs-url","visible":true},{"displayName":"org.label-schema.vendor","fieldName":"org.label-schema.vendor","visible":true},{"displayName":"org.label-schema.version","fieldName":"org.label-schema.version","visible":true},{"displayName":"org.opencontainers.image.created","fieldName":"org.opencontainers.image.created","visible":true},{"displayName":"org.opencontainers.image.licenses","fieldName":"org.opencontainers.image.licenses","visible":true},{"displayName":"org.opencontainers.image.title","fieldName":"org.opencontainers.image.title","visible":true},{"displayName":"org.opencontainers.image.vendor","fieldName":"org.opencontainers.image.vendor","visible":true},{"displayName":"release","fieldName":"release","visible":true},{"displayName":"summary","fieldName":"summary","visible":true},{"displayName":"url","fieldName":"url","visible":true},{"displayName":"vendor","fieldName":"vendor","visible":true},{"displayName":"version","fieldName":"version","visible":true},{"displayName":"org.label-schema.usage","fieldName":"org.label-schema.usage","visible":true},{"displayName":"org.opencontainers.image.documentation","fieldName":"org.opencontainers.image.documentation","visible":true},{"displayName":"org.opencontainers.image.revision","fieldName":"org.opencontainers.image.revision","visible":true},{"displayName":"org.opencontainers.image.source","fieldName":"org.opencontainers.image.source","visible":true},{"displayName":"org.opencontainers.image.url","fieldName":"org.opencontainers.image.url","visible":true},{"displayName":"org.opencontainers.image.version","fieldName":"org.opencontainers.image.version","visible":true},{"displayName":"org.opencontainers.image.description","fieldName":"org.opencontainers.image.description","visible":true}],"height":4,"kind":"Table","name":"Troubled Containers","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"oomkilled\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"container_image\", \"host\"])\n |> last()\n |> group()\n |> keep(columns: [\"_value\", \"container_name\", \"host\"])\n |> filter(fn: (r) => r[\"container_status\"] != \"running\")"}],"staticLegend":{},"tableOptions":{"sortBy":"container_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"xPos":9,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"description":"Visualize the Security Onion grid performance metrics and alarm statuses.","name":"Security Onion Performance"}}] \ No newline at end of file +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"ruby","type":"text","hex":"#BF3D5E","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Critical Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"crit\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"yPos":2},{"colors":[{"id":"base","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QCTYWuGuHkikYFsZSKMzQ","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QdpMyTRBb0LJ56-P5wfAW","name":"laser","type":"text","hex":"#00C9FF","value":1},{"id":"VQGwCoMrxZyP8asiOW5Cq","name":"tiger","type":"text","hex":"#F48D38","value":2},{"id":"zSO9QkesSIxrU_ntCBx2i","name":"ruby","type":"text","hex":"#BF3D5E","value":3}],"fieldOptions":[{"fieldName":"_time","visible":true},{"displayName":"Alarm","fieldName":"_check_name","visible":true},{"displayName":"Severity","fieldName":"_value","visible":true},{"displayName":"Status","fieldName":"_level","visible":true}],"height":6,"kind":"Table","name":"Alarm Status","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> drop(columns: [\"_value\"])\n |> duplicate(column: \"_level\", as: \"_value\")\n |> map(fn: (r) => ({ r with _value: if r._value == \"ok\" then 0 else if r._value == \"info\" then 1 else if r._value == \"warn\" then 2 else 3 }))\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> keep(columns: [\"_check_name\",\"_level\",\"_value\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"_check_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"yPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"Trend\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"tiger","type":"text","hex":"#F48D38","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Warning Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"warn\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":1,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IO Wait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"laser","type":"text","hex":"#00C9FF","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Informative Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"info\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":2,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"kOQLOg2H4FVEE-E1_L8Kq","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"5IArg2lDb8KvnphywgUXa","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Root Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"0ynR6Zs0wuQ3WY0Lz-_KC","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"YiArehCNBwFm9mn8DSXSG","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"DxByY_EQW9Xs2jD5ktkG5","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xPos":4,"yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Drops","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"H7uprvKmMEh39en6X-ms_","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"colors":[{"id":"base","name":"white","type":"text","hex":"#ffffff"}],"fieldOptions":[{"displayName":"Host","fieldName":"host","visible":true},{"displayName":"Name","fieldName":"container_name","visible":true},{"displayName":"Status","fieldName":"container_status","visible":true},{"displayName":"OOM Killed","fieldName":"_value","visible":true},{"displayName":"_start","fieldName":"_start","visible":true},{"displayName":"_stop","fieldName":"_stop","visible":true},{"displayName":"_time","fieldName":"_time","visible":true},{"displayName":"_field","fieldName":"_field","visible":true},{"displayName":"_measurement","fieldName":"_measurement","visible":true},{"displayName":"engine_host","fieldName":"engine_host","visible":true},{"displayName":"role","fieldName":"role","visible":true},{"displayName":"server_version","fieldName":"server_version","visible":true},{"displayName":"container_image","fieldName":"container_image","visible":true},{"displayName":"container_version","fieldName":"container_version","visible":true},{"displayName":"description","fieldName":"description","visible":true},{"displayName":"maintainer","fieldName":"maintainer","visible":true},{"displayName":"io.k8s.description","fieldName":"io.k8s.description","visible":true},{"displayName":"io.k8s.display-name","fieldName":"io.k8s.display-name","visible":true},{"displayName":"license","fieldName":"license","visible":true},{"displayName":"name","fieldName":"name","visible":true},{"displayName":"org.label-schema.build-date","fieldName":"org.label-schema.build-date","visible":true},{"displayName":"org.label-schema.license","fieldName":"org.label-schema.license","visible":true},{"displayName":"org.label-schema.name","fieldName":"org.label-schema.name","visible":true},{"displayName":"org.label-schema.schema-version","fieldName":"org.label-schema.schema-version","visible":true},{"displayName":"org.label-schema.url","fieldName":"org.label-schema.url","visible":true},{"displayName":"org.label-schema.vcs-ref","fieldName":"org.label-schema.vcs-ref","visible":true},{"displayName":"org.label-schema.vcs-url","fieldName":"org.label-schema.vcs-url","visible":true},{"displayName":"org.label-schema.vendor","fieldName":"org.label-schema.vendor","visible":true},{"displayName":"org.label-schema.version","fieldName":"org.label-schema.version","visible":true},{"displayName":"org.opencontainers.image.created","fieldName":"org.opencontainers.image.created","visible":true},{"displayName":"org.opencontainers.image.licenses","fieldName":"org.opencontainers.image.licenses","visible":true},{"displayName":"org.opencontainers.image.title","fieldName":"org.opencontainers.image.title","visible":true},{"displayName":"org.opencontainers.image.vendor","fieldName":"org.opencontainers.image.vendor","visible":true},{"displayName":"release","fieldName":"release","visible":true},{"displayName":"summary","fieldName":"summary","visible":true},{"displayName":"url","fieldName":"url","visible":true},{"displayName":"vendor","fieldName":"vendor","visible":true},{"displayName":"version","fieldName":"version","visible":true},{"displayName":"org.label-schema.usage","fieldName":"org.label-schema.usage","visible":true},{"displayName":"org.opencontainers.image.documentation","fieldName":"org.opencontainers.image.documentation","visible":true},{"displayName":"org.opencontainers.image.revision","fieldName":"org.opencontainers.image.revision","visible":true},{"displayName":"org.opencontainers.image.source","fieldName":"org.opencontainers.image.source","visible":true},{"displayName":"org.opencontainers.image.url","fieldName":"org.opencontainers.image.url","visible":true},{"displayName":"org.opencontainers.image.version","fieldName":"org.opencontainers.image.version","visible":true},{"displayName":"org.opencontainers.image.description","fieldName":"org.opencontainers.image.description","visible":true}],"height":4,"kind":"Table","name":"Most Recent Container Events","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"oomkilled\")\n |> filter(fn: (r) => r[\"container_status\"] != \"running\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"container_image\", \"host\"])\n |> last()\n |> group()\n |> keep(columns: [\"_value\", \"container_name\", \"host\", \"container_status\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"container_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"xPos":9,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"description":"Visualize the Security Onion grid performance metrics and alarm statuses.","name":"Security Onion Performance"}}] \ No newline at end of file From 0f51e7bb980a41f0fba2e68a73ca2713daf8c55c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 13:14:21 -0500 Subject: [PATCH 097/470] fix key locations for rocky --- salt/repo/client/files/rocky/{ => keys}/RPM-GPG-KEY-EPEL-9 | 0 salt/repo/client/files/rocky/{ => keys}/SALTSTACK-GPG-KEY2.pub | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename salt/repo/client/files/rocky/{ => keys}/RPM-GPG-KEY-EPEL-9 (100%) rename salt/repo/client/files/rocky/{ => keys}/SALTSTACK-GPG-KEY2.pub (100%) diff --git a/salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 b/salt/repo/client/files/rocky/keys/RPM-GPG-KEY-EPEL-9 similarity index 100% rename from salt/repo/client/files/rocky/RPM-GPG-KEY-EPEL-9 rename to salt/repo/client/files/rocky/keys/RPM-GPG-KEY-EPEL-9 diff --git a/salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub b/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub similarity index 100% rename from salt/repo/client/files/rocky/SALTSTACK-GPG-KEY2.pub rename to salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub From 4dcdea58d758ed22b6915f922a59c303e5be40a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 13:16:13 -0500 Subject: [PATCH 098/470] add key for so packages --- .../client/files/rocky/keys/securityonion.pub | 52 +++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 salt/repo/client/files/rocky/keys/securityonion.pub diff --git a/salt/repo/client/files/rocky/keys/securityonion.pub b/salt/repo/client/files/rocky/keys/securityonion.pub new file mode 100644 index 000000000..15be14ca9 --- /dev/null +++ b/salt/repo/client/files/rocky/keys/securityonion.pub @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF7rzwEBEADBg87uJhnC3Ls7s60hbHGaywGrPtbz2WuYA/ev3YS3X7WS75p8 +PGlzTWUCujx0pEHbK2vYfExl3zksZ8ZmLyZ9VB3oSLiWBzJgKAeB7YCFEo8te+eE +P2Z+8c+kX4eOV+2waxZyewA2TipSkhWgStSI4Ow8SyVUcUWA3hCw7mo2duNVi7KO +C3vvI3wzirH+8/XIGo+lWTg6yYlSxdf+0xWzYvV2QCMpwzJfARw6GGXtfCZw/zoO +o4+YPsiyztQdyI1y+g3Fbesl65E36DelbyP+lYd2VecX8ELEv0wlKCgHYlk6lc+n +qnOotVjWbsyXuFfo06PHUd6O9n3nmo0drC6kmXGw1e8hu0t8VcGfMTKS/hszwVUY +bHS6kbfsOoAb6LXPWKfqxk/BdreLXmcHHz88DimS3OS0JufkcmkjxEzSFRL0kb2h +QVb1SATrbx+v2RWQXvi9sLCjT2fdOiwi1Tgc84orc7A1C3Jwu353YaX9cV+n5uyG +OZ2AULZ5z2h13sVuiZAwfyyFs/O0CJ783hFA2TNPnyNGAgw/kaIo7nNRnggtndBo +oQzVS+BHiFx98IF4zDqmF2r2+jOCjxSrw8KnZBe4bgXFtl89DmjoejGvWDnu2MVM +pZDEs1DcOxHBQmTCWMIYLyNKG0xW6diyWBxEIaa7YgrP6kA+RaDfZ/xXPwARAQAB +tD9TZWN1cml0eSBPbmlvbiBTb2x1dGlvbnMsIExMQyA8aW5mb0BzZWN1cml0eW9u +aW9uc29sdXRpb25zLmNvbT6JAlQEEwEKAD4WIQTIBKk9Nr4Mcz6hlkR8EGC3/lBw +EwUCXuvPAQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB8EGC3 +/lBwExB1D/42xIDGU2XFNFyTU+ZqzDA8qNC9hEKjLeizbeM8RIm3xO+3p7SdqbuJ +7pA8gk0RiHuILb+Ba1xiSh/w/W2bOxQhsXuWHih2z3W1tI+hu6RQhIm4e6CIHHf7 +Vzj4RSvHOVS0AzITUwkHjv0x0Z8zVBPJfEHKkK2x03BqP1o12rd7n2ZMrSfN6sED +fUwOJLDjthShtyLSPBVG8j7T5cfSCPSLhfVOKPQVcI1sSir7RLeyxt1v1kzjQdaA ++znxO8EgfZJN93wzfBrAGcVT8KmpmgwR6p46m20wJXyZC9DZxJ0o1y3toVWTC+kP +Qj1ROPivySVn10rBoOJk8HteyhW07gTcydq+noKHV7SqJ1899xRAYP7rDCfI9iMW +Nn22ZDLnAkIcbNR7JLJCHwsZH/Umo9KO/dIccIqVQel3UCCYZcWTZW0VkcjqVKRa +eK+JQGaJPrBAoxIG5/sMlbk2sINSubNWlcbH6kM0V8NVwdPiOO9xLmp2hI4ICxE3 +M+O2HCNX4QYzVizzTFxEvW3ieLa4nePQ8J6lvMI2oLkFP7xHoFluvZnuwfNvoEy0 +RnlHExN1UQTUvcbCxIbzjaJ4HJXilWHjgmGaVQO1S7AYskWnNWQ7uJvxnuZBNNwm +pIvwYEZp23fYaWl/xKqnmPMy2ADjROBKlCm7L+Ntq1r7ELGW5ZCTobkCDQRe688B +ARAA22GzdkSAo+mwJ2S1RbJ1G20tFnLsG/NC8iMN3lEh/PSmyPdB7mBtjZ+HPDzF +VSznXZdr3LItBBQOli2hVIj1lZBY7+s2ZufV3TFFwselUwT3b1g1KMkopD95Ckf8 +WhLbSz2yqgrvcEvbB0HFX/ZEsHGqIz2kLacixjwXXLWOMQ2LNbeW1f5zQkBnaNNQ +/4njzTj68OxnvfplNYNJqi2pZGb2UqarYX04FqKNuocN8E7AC9FQdBXylmVctw9T +pQVwfCI76bTe6vPWb+keb6UNN1jyXVnhIQ3Fv5sFBsmgXf/hO8tqCotrKjEiK2/i +RkvFeqsGMXreCgYg9zW4k+DcJtVa+Q8juGOjElrubY3Ua9mCusx3vY4QYSWxQ5Ih +k1lXiUcM5Rt38lfpKHRJ5Pd4Y5xlWSQfZ7nmzbf/GzJQz+rWrA0X6Oc6cDOPLNXK +w1dAygre4f2bsp5kHQt6NMefxeNTDmi+4R62K0tb40f5q0Vxz8qdyD48bBsbULNx +kb6mjOAD+FNkfNXcGeuTq9oRnjx8i93mhYsIP5LFNDXS/zSP1nv0ZUFeIlGQGjV9 +1wOvT454qkI9sKiVFtd4FrNKZJbKszxxDm+DPfB5j+hRC4oeEJ7w+sVyh3EawtfM +V7Mwj8i+7c3YUCravXBhSwG7SCTggFUgA8lMr8oWVgCATYsAEQEAAYkCPAQYAQoA +JhYhBMgEqT02vgxzPqGWRHwQYLf+UHATBQJe688BAhsMBQkSzAMAAAoJEHwQYLf+ +UHATTtwQAJiztPW68ykifpFdwYFp1VC7c+uGLhWBqjDY9NSUKNC9caR7bV0cnNu8 +07UG6j18gCB2GSkukXjOR/oTj6rNcW/WouPYfQOrw7+M2Ya8M8iq+E/HOXaXB3b4 +FeCcB0UuwfcHHd2KbXrRHA+9GNpmuOcfTCdsPpIr41Xg4QltATDEt/FrzuKspXg4 +vUKDXgfnbj7y0JcJM2FfcwWGlnAG5MMRyjJQAleGdiidX/9WxgJ4Mweq4qJM0jr3 +Qsrc9VuzxsLr85no3Hn5UYVgT7bBZ59HUbQoi775m78MxN3mWUSdcyLQKovI+YXr +tshTxWIf/2Ovdzt6Wq1WWXOGGuK1qgdPJTFWrlh3amFdb70zR1p6A/Lthd7Zty+n +QjRZRQo5jBSnYtjhMrZP6rxM3QqnQ0frEKK9HfDYONk1Bw18CUtdwFGb9OMregLR +IjvNLp9coSh5yYAepZyUGEPRET0GsmVw2trQF0uyMSkQfiq2zjPto6WWbsmrrbLr +cfZ/wnBw1FoNEd51U54euo9yvOgOVtJGvqLgHNwB8574FhQhoWAMhyizqdgeEt26 +m3FXecUNKL/AK71/l04vor+/WsXe8uhDg3O84qeYa9wgd8LZZVmGZJDosSwqYjtb +LdNNm+v60Zo6rFWSREegqi/nRTTDdxdW99ybjlh+mpbq3xavyFXF +=bhkm +-----END PGP PUBLIC KEY BLOCK----- From 4c2142b181db09f646604bfed8a7bcd7db8d8cc2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 13:21:37 -0500 Subject: [PATCH 099/470] add key for so packages --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fd1fc4b2d..f4df47794 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1893,7 +1893,7 @@ remove_package() { securityonion_repo() { # Remove all the current repos - if [[ $is_centos ]]; then + if [[ $is_rocky ]]; then if [[ $waitforstate ]]; then # Build the repo locally so we can use it echo "Syncing Repo" From 2cddcc8b8d2d488983ae87337198a203a1066868 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 13:38:28 -0500 Subject: [PATCH 100/470] Change some order in repo sync --- setup/so-functions | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f4df47794..552a19ce7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1894,11 +1894,6 @@ remove_package() { securityonion_repo() { # Remove all the current repos if [[ $is_rocky ]]; then - if [[ $waitforstate ]]; then - # Build the repo locally so we can use it - echo "Syncing Repo" - repo_sync_local - fi logCmd "dnf -v clean all" logCmd "mkdir -vp /root/oldrepos" logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" @@ -1922,10 +1917,16 @@ securityonion_repo() { logCmd "dnf repolist all" # update this package because the repo config files get added back # if the package is updated when the update_packages function is called - logCmd "dnf -v -y update rocky-release" - info "Backing up the .repo files that were added by the centos-release package." - logCmd "mv -bvf /etc/yum.repos.d/rocky* /root/oldrepos/" - logCmd "dnf repolist all" + if [ -f "/etc/yum.repos.d/rocky.repo" ]; then + info "Backing up the .repo files that were added by the centos-release package." + logCmd "mv -bvf /etc/yum.repos.d/rocky* /root/oldrepos/" + logCmd "dnf repolist all" + fi + if [[ $waitforstate ]]; then + # Build the repo locally so we can use it + echo "Syncing Repo" + repo_sync_local + fi fi } @@ -1936,21 +1937,16 @@ repo_sync_local() { mkdir -p /nsm/repo mkdir -p /root/reposync_cache echo "[main]" > /root/repodownload.conf + echo "gpgcheck=1" >> /root/repodownload.conf + echo "installonly_limit=3" >> /root/repodownload.conf + echo "clean_requirements_on_remove=True" >> /root/repodownload.conf + echo "best=True" >> /root/repodownload.conf + echo "skip_if_unavailable=False" >> /root/repodownload.conf echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf echo "keepcache=0" >> /root/repodownload.conf - echo "debuglevel=2" >> /root/repodownload.conf - echo "logfile=/var/log/yum.log" >> /root/repodownload.conf - echo "exactarch=1" >> /root/repodownload.conf - echo "obsoletes=1" >> /root/repodownload.conf - echo "gpgcheck=1" >> /root/repodownload.conf - echo "plugins=1" >> /root/repodownload.conf - echo "installonly_limit=2" >> /root/repodownload.conf - echo "bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum" >> /root/repodownload.conf - echo "distroverpkg=centos-release" >> /root/repodownload.conf - echo "clean_requirements_on_remove=1" >> /root/repodownload.conf echo "[securityonionsync]" >> /root/repodownload.conf echo "name=Security Onion Repo repo" >> /root/repodownload.conf - echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/c7so/" >> /root/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2,4/" >> /root/repodownload.conf echo "enabled=1" >> /root/repodownload.conf echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf @@ -1963,7 +1959,7 @@ repo_sync_local() { else info "We have what we need to sync" fi - + dnf repolist # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 577e3c27fef21df64827624bcea67e55063774f9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 14 Feb 2023 13:52:21 -0500 Subject: [PATCH 101/470] Update repo URL --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 552a19ce7..677bb6da6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1946,7 +1946,7 @@ repo_sync_local() { echo "keepcache=0" >> /root/repodownload.conf echo "[securityonionsync]" >> /root/repodownload.conf echo "name=Security Onion Repo repo" >> /root/repodownload.conf - echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2,4/" >> /root/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /root/repodownload.conf echo "enabled=1" >> /root/repodownload.conf echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf @@ -1961,7 +1961,7 @@ repo_sync_local() { fi dnf repolist # Make sure we can get to the sig repo - logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/checkup --output /tmp/checkup" + logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 8746f558348237d06b8a72629004d6f189de498b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Feb 2023 08:03:22 -0500 Subject: [PATCH 102/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 20 ++++++++++++++++++++ salt/soc/defaults.map.jinja | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage index 96b0c01f9..907e0342c 100644 --- a/salt/common/tools/sbin/so-influxdb-manage +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -11,6 +11,8 @@ usage() { echo "Usage: $0 [args]" echo "" echo "Supported Operations:" + echo " dashboardpath Returns the URL path for a dashboard, requires: " + echo " export Exports all templates to stdout" echo " setup Loads all templates and creates all required buckets" echo " userlist Lists users" echo " useradd Adds a new user, requires: " @@ -260,6 +262,24 @@ case "$OP" in check_response "$response" ;; + export) + log "Exporting all organization templates" + request templates/export -X POST -d "{\"orgIDs\":[{\"orgID\":\"$oid\"}]}" -H "Content-Type: application/json" + ;; + + dashboardpath) + [ $# -ne 1 ] && usage + name=$1 + response=$(request dashboards?limit=100&orgID=$oid) + check_response "$response" + dbid=$(echo "$response" | jq -r ".dashboards[] | select(.name == \"$name\").id") + if [[ -z "$dbid" ]]; then + log "Dashboard not found" + exit 1 + fi + echo -n "/influxdb/orgs/$oid/dashboards/$dbid" + ;; + *) usage ;; diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 912b16f46..17253b7fb 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -2,6 +2,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} {%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} {% for module, application_url in GLOBALS.application_urls.items() %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} @@ -18,6 +19,11 @@ {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %} +{% for tool in SOCDEFAULTS.soc.server.client.tools %} +{% if tool.name == "toolInfluxDb" %} +{% do tool.update({'link': METRICS_LINK}) %} +{% endif %} +{% endfor %} {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %} From c43ccb7ed2fdef02e56c963f5240d4926ed41f12 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Feb 2023 09:47:18 -0500 Subject: [PATCH 103/470] influx upgrade --- .../templates/dashboard-security_onion_performance.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/templates/dashboard-security_onion_performance.json b/salt/influxdb/templates/dashboard-security_onion_performance.json index c6a30ed95..3cad5b362 100644 --- a/salt/influxdb/templates/dashboard-security_onion_performance.json +++ b/salt/influxdb/templates/dashboard-security_onion_performance.json @@ -1 +1 @@ -[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"ruby","type":"text","hex":"#BF3D5E","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Critical Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"crit\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"yPos":2},{"colors":[{"id":"base","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QCTYWuGuHkikYFsZSKMzQ","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QdpMyTRBb0LJ56-P5wfAW","name":"laser","type":"text","hex":"#00C9FF","value":1},{"id":"VQGwCoMrxZyP8asiOW5Cq","name":"tiger","type":"text","hex":"#F48D38","value":2},{"id":"zSO9QkesSIxrU_ntCBx2i","name":"ruby","type":"text","hex":"#BF3D5E","value":3}],"fieldOptions":[{"fieldName":"_time","visible":true},{"displayName":"Alarm","fieldName":"_check_name","visible":true},{"displayName":"Severity","fieldName":"_value","visible":true},{"displayName":"Status","fieldName":"_level","visible":true}],"height":6,"kind":"Table","name":"Alarm Status","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> drop(columns: [\"_value\"])\n |> duplicate(column: \"_level\", as: \"_value\")\n |> map(fn: (r) => ({ r with _value: if r._value == \"ok\" then 0 else if r._value == \"info\" then 1 else if r._value == \"warn\" then 2 else 3 }))\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> keep(columns: [\"_check_name\",\"_level\",\"_value\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"_check_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"yPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"Trend\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"tiger","type":"text","hex":"#F48D38","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Warning Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"warn\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":1,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IO Wait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"laser","type":"text","hex":"#00C9FF","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Informative Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> filter(fn: (r) => r[\"_level\"] == \"info\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":2,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"kOQLOg2H4FVEE-E1_L8Kq","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"5IArg2lDb8KvnphywgUXa","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Root Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"0ynR6Zs0wuQ3WY0Lz-_KC","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"YiArehCNBwFm9mn8DSXSG","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"DxByY_EQW9Xs2jD5ktkG5","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key:\"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xPos":4,"yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Drops","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"H7uprvKmMEh39en6X-ms_","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> set(key: \"_field\", value: \"Trend In\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> set(key: \"_field\", value: \"Trend Out\")\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> set(key: \"_field\", value: \"Trend\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"colors":[{"id":"base","name":"white","type":"text","hex":"#ffffff"}],"fieldOptions":[{"displayName":"Host","fieldName":"host","visible":true},{"displayName":"Name","fieldName":"container_name","visible":true},{"displayName":"Status","fieldName":"container_status","visible":true},{"displayName":"OOM Killed","fieldName":"_value","visible":true},{"displayName":"_start","fieldName":"_start","visible":true},{"displayName":"_stop","fieldName":"_stop","visible":true},{"displayName":"_time","fieldName":"_time","visible":true},{"displayName":"_field","fieldName":"_field","visible":true},{"displayName":"_measurement","fieldName":"_measurement","visible":true},{"displayName":"engine_host","fieldName":"engine_host","visible":true},{"displayName":"role","fieldName":"role","visible":true},{"displayName":"server_version","fieldName":"server_version","visible":true},{"displayName":"container_image","fieldName":"container_image","visible":true},{"displayName":"container_version","fieldName":"container_version","visible":true},{"displayName":"description","fieldName":"description","visible":true},{"displayName":"maintainer","fieldName":"maintainer","visible":true},{"displayName":"io.k8s.description","fieldName":"io.k8s.description","visible":true},{"displayName":"io.k8s.display-name","fieldName":"io.k8s.display-name","visible":true},{"displayName":"license","fieldName":"license","visible":true},{"displayName":"name","fieldName":"name","visible":true},{"displayName":"org.label-schema.build-date","fieldName":"org.label-schema.build-date","visible":true},{"displayName":"org.label-schema.license","fieldName":"org.label-schema.license","visible":true},{"displayName":"org.label-schema.name","fieldName":"org.label-schema.name","visible":true},{"displayName":"org.label-schema.schema-version","fieldName":"org.label-schema.schema-version","visible":true},{"displayName":"org.label-schema.url","fieldName":"org.label-schema.url","visible":true},{"displayName":"org.label-schema.vcs-ref","fieldName":"org.label-schema.vcs-ref","visible":true},{"displayName":"org.label-schema.vcs-url","fieldName":"org.label-schema.vcs-url","visible":true},{"displayName":"org.label-schema.vendor","fieldName":"org.label-schema.vendor","visible":true},{"displayName":"org.label-schema.version","fieldName":"org.label-schema.version","visible":true},{"displayName":"org.opencontainers.image.created","fieldName":"org.opencontainers.image.created","visible":true},{"displayName":"org.opencontainers.image.licenses","fieldName":"org.opencontainers.image.licenses","visible":true},{"displayName":"org.opencontainers.image.title","fieldName":"org.opencontainers.image.title","visible":true},{"displayName":"org.opencontainers.image.vendor","fieldName":"org.opencontainers.image.vendor","visible":true},{"displayName":"release","fieldName":"release","visible":true},{"displayName":"summary","fieldName":"summary","visible":true},{"displayName":"url","fieldName":"url","visible":true},{"displayName":"vendor","fieldName":"vendor","visible":true},{"displayName":"version","fieldName":"version","visible":true},{"displayName":"org.label-schema.usage","fieldName":"org.label-schema.usage","visible":true},{"displayName":"org.opencontainers.image.documentation","fieldName":"org.opencontainers.image.documentation","visible":true},{"displayName":"org.opencontainers.image.revision","fieldName":"org.opencontainers.image.revision","visible":true},{"displayName":"org.opencontainers.image.source","fieldName":"org.opencontainers.image.source","visible":true},{"displayName":"org.opencontainers.image.url","fieldName":"org.opencontainers.image.url","visible":true},{"displayName":"org.opencontainers.image.version","fieldName":"org.opencontainers.image.version","visible":true},{"displayName":"org.opencontainers.image.description","fieldName":"org.opencontainers.image.description","visible":true}],"height":4,"kind":"Table","name":"Most Recent Container Events","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"oomkilled\")\n |> filter(fn: (r) => r[\"container_status\"] != \"running\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"container_image\", \"host\"])\n |> last()\n |> group()\n |> keep(columns: [\"_value\", \"container_name\", \"host\", \"container_status\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"container_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"xPos":9,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> set(key: \"_field\", value: \"Trend\")\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"description":"Visualize the Security Onion grid performance metrics and alarm statuses.","name":"Security Onion Performance"}}] \ No newline at end of file +[{"apiVersion":"influxdata.com/v2alpha1","kind":"Dashboard","metadata":{"name":"dashboard-so"},"spec":{"charts":[{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Uptime","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24 * 60 * 60)}))\n |> group(columns: [\"host\"])\n |> last()\n |> lowestMin(n:1)"}],"staticLegend":{},"suffix":" days","width":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"ruby","type":"text","hex":"#BF3D5E","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Critical Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> filter(fn: (r) => r[\"_level\"] == \"crit\")\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"yPos":2},{"colors":[{"id":"base","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QCTYWuGuHkikYFsZSKMzQ","name":"rainforest","type":"text","hex":"#4ED8A0"},{"id":"QdpMyTRBb0LJ56-P5wfAW","name":"laser","type":"text","hex":"#00C9FF","value":1},{"id":"VQGwCoMrxZyP8asiOW5Cq","name":"tiger","type":"text","hex":"#F48D38","value":2},{"id":"zSO9QkesSIxrU_ntCBx2i","name":"ruby","type":"text","hex":"#BF3D5E","value":3}],"fieldOptions":[{"fieldName":"_time","visible":true},{"displayName":"Alarm","fieldName":"_check_name","visible":true},{"displayName":"Severity","fieldName":"_value","visible":true},{"displayName":"Status","fieldName":"_level","visible":true}],"height":6,"kind":"Table","name":"Alarm Status","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> drop(columns: [\"_value\"])\n |> duplicate(column: \"_level\", as: \"_value\")\n |> map(fn: (r) => ({ r with _value: if r._value == \"ok\" then 0 else if r._value == \"info\" then 1 else if r._value == \"warn\" then 2 else 3 }))\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> keep(columns: [\"_check_name\",\"_level\",\"_value\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"_check_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"yPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Storage Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"mean\")"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"store_size_in_bytes\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"B"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"InfluxDB Size","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"mean\")"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"influxsize\")\n |> filter(fn: (r) => r[\"_field\"] == \"kbytes\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 1000.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"last\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60)}))\n |> yield(name: \"Trend\")"}],"shade":true,"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"System Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_recv\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":38},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"5m Load Average","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load5\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":1},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"tiger","type":"text","hex":"#F48D38","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Warning Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> filter(fn: (r) => r[\"_level\"] == \"warn\")\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":1,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"IO Wait","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"},{"id":"z83MTSufTrlrCoEPiBXda","name":"laser","type":"text","hex":"#00C9FF","value":1}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Informative Alarms","queries":[{"query":"from(bucket: \"_monitoring\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"statuses\")\n |> filter(fn: (r) => r[\"_field\"] == \"_message\")\n |> group(columns: [\"_check_id\"])\n |> sort(columns: [\"_time\"])\n |> last()\n |> group()\n |> filter(fn: (r) => r[\"_level\"] == \"info\")\n |> count()"}],"staticLegend":{},"suffix":" ","width":1,"xPos":2,"yPos":2},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Estimated EPS In","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> hostFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":3},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"CPU Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_idle\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> map(fn: (r) => ({r with _value: r._value * -1.0 + 100.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"kOQLOg2H4FVEE-E1_L8Kq","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"5IArg2lDb8KvnphywgUXa","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Root Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":3,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Suricata Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":3,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":0,"height":2,"kind":"Single_Stat","name":"Redis Queue","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"width":1,"xPos":4},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elasticsearch Document Count","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"mean\")"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_indices\")\n |> filter(fn: (r) => r[\"_field\"] == \"docs_count\")\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Redis Queue","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"redisqueue\")\n |> filter(fn: (r) => r[\"_field\"] == \"unparsed\")\n |> group(columns: [\"host\", \"_field\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":14},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Uptime","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24 * 60 * 60 * 1000000000)}))\n |> yield(name: \"last\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"uptime_ns\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> group(columns: [\"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> map(fn: (r) => ({r with _value: float(v: r._value) / float(v: 24.0 * 60.0 * 60.0 * 1000000000.0)}))\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"yT5vTIlaaFChSrQvKLfqf","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"mzzUVSu3ibTph1JmQmDAQ","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"mOcnDo7l8ii6qNLFIB5rs","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container CPU Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_cpu\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Memory Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_percent\")\n |> filter(fn: (r) => r[\"container_status\"] == \"running\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b"}],"colorizeRows":true,"colors":[{"id":"0ynR6Zs0wuQ3WY0Lz-_KC","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"YiArehCNBwFm9mn8DSXSG","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"DxByY_EQW9Xs2jD5ktkG5","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Container Traffic - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"mean\")"},{"query":"containerFilter = (tables=<-) =>\n if v.Container != \"(All)\" then\n tables |> filter(fn: (r) => r[\"container_name\"] == v.Container)\n else\n tables\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_net\")\n |> filter(fn: (r) => r[\"_field\"] == \"rx_bytes\")\n |> hostFilter()\n |> roleFilter()\n |> containerFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with _value: r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\", \"container_name\"])\n |> sort(columns: [\"_time\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":4,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Disk Usage /nsm","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xPos":4,"yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Traffic","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_recv\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":5},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Inbound Drops","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\") \n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: r._value * 8.0 / (1000.0 * 1000.0)}))\n |> group(columns: [\"host\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" Mb/s","width":1,"xPos":6},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":70},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":80},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Memory Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"mem\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":2},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"laser","type":"threshold","hex":"#00C9FF","value":85},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"tiger","type":"threshold","hex":"#F48D38","value":90},{"id":"H7uprvKmMEh39en6X-ms_","name":"ruby","type":"threshold","hex":"#BF3D5E","value":95},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"NSM Disk Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"disk\")\n |> filter(fn: (r) => r[\"path\"] == \"/nsm\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":6,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Management Interface Traffic - Outbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"bytes_sent\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"manint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"bytes_sent\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n \n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":6,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":34},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Packet Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> hostFilter()\n |> roleFilter()\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":6,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Capture Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":7},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Zeek Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekdrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":8},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Elastic Ingest Time Spent","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_community_id_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"community.id_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_conditional_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"conditional_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_index_name_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date.index.name_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_date_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"date_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dissect_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dissect_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_dot_expander_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"dot.expander_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_geoip_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"geoip_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_grok_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"grok_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_json_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"json_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_kv_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"kv_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_lowercase_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"lowercase_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_rename_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"rename_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_script_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"script_time\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"elasticsearch_clusterstats_nodes\")\n |> filter(fn: (r) => r.role == \"standalone\" or r.role == \"eval\" or r.role == \"import\" or r.role == \"managersearch\" or r.role == \"search\" or r.role == \"node\" or r.role == \"heavynode\")\n |> filter(fn: (r) => r[\"_field\"] == \"ingest_processor_stats_user_agent_time_in_millis\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"user.agent_time\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":10},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear"}],"colorizeRows":true,"colors":[{"id":"sW2GqpGAsGB5Adx16jKjp","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"TsdXuXwdI5Npi9S8L4f-i","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"OGL29-SUbJ6FyQb0JzbaD","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"1m Load Average","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"system\")\n |> filter(fn: (r) => r[\"_field\"] == \"load1\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\",\"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: true)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":14,"yTickStep":1},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":" e/s"}],"colorizeRows":true,"colors":[{"id":"xflqbsX-j3iq4ry5QOntK","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#8F8AF4"},{"id":"5H28HcITm6QVfQsXon0vq","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#A51414"},{"id":"25MrINwurNBkQqeKCkMPg","name":"Do Androids Dream of Electric Sheep?","type":"scale","hex":"#F4CF31"}],"geom":"line","height":4,"heightRatio":0.301556420233463,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Logstash EPS","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"in\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"},{"query":"from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"logstash_events\")\n |> filter(fn: (r) => r[\"_field\"] == \"out\")\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\") \n |> map(fn: (r) => ({r with _value: -r._value}))\n |> group(columns: [\"_field\", \"host\", \"pipeline\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.301556420233463,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":18},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"UAehjIsi65P8u92M_3sQY","name":"Nineteen Eighty Four","type":"scale","hex":"#31C0F6"},{"id":"_SCP8Npp4NVMx2N4mfuzX","name":"Nineteen Eighty Four","type":"scale","hex":"#A500A5"},{"id":"BoMPg4R1KDp_UsRORdV3_","name":"Nineteen Eighty Four","type":"scale","hex":"#FF7E27"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"IO Wait","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"cpu\")\n |> filter(fn: (r) => r[\"cpu\"] == \"cpu-total\")\n |> filter(fn: (r) => r[\"_field\"] == \"usage_iowait\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":22},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"QDwChKZWuQV0BaJcEeSam","name":"Atlantis","type":"scale","hex":"#74D495"},{"id":"ThD0WTqKHltQEVlq9mo6K","name":"Atlantis","type":"scale","hex":"#3F3FBA"},{"id":"FBHYZiwDLKyQK3eRfUD-0","name":"Atlantis","type":"scale","hex":"#FF4D9E"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Swap Usage","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> roleFilter()\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":26},{"axes":[{"base":"10","name":"x","scale":"linear"},{"base":"10","name":"y","scale":"linear","suffix":"b/s"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"heightRatio":0.18482490272373542,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Monitor Interface Drops - Inbound","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"drop_in\"}))"},{"query":"import \"join\"\n\nhostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nmanints = from(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"node_config\")\n |> hostFilter()\n |> filter(fn: (r) => r[\"_field\"] == \"monint\")\n |> distinct()\n |> group(columns: [\"host\"])\n\ntraffic = from(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"net\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop_in\")\n |> hostFilter()\n |> roleFilter()\n |> derivative(unit: 1s, nonNegative: true, columns: [\"_value\"], timeColumn: \"_time\")\n |> map(fn: (r) => ({r with \"_value\": r._value * 8.0}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"host\"])\n\njoin.inner(left: traffic, right: manints,\n on: (l,r) => l.interface == r._value,\n as: (l, r) => ({l with _value: l._value, result: \"Trend\"}))"}],"staticLegend":{"colorizeRows":true,"heightRatio":0.18482490272373542,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":30},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":" days"}],"colorizeRows":true,"colors":[{"id":"3PVw3hQuZUzyar7Js3mMH","name":"Ectoplasm","type":"scale","hex":"#DA6FF1"},{"id":"O34ux-D8Xq_1-eeWRyYYH","name":"Ectoplasm","type":"scale","hex":"#00717A"},{"id":"P04RoKOHBdLdvfrfFbn0F","name":"Ectoplasm","type":"scale","hex":"#ACFF76"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Stenographer PCAP Retention","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])"},{"query":"import \"join\"\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> map(fn: (r) => ({ r with _value: r._value / (24.0 * 3600.0)}))\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> group(columns: [\"_field\",\"host\"])\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":4,"widthRatio":1,"xCol":"_time","xPos":8,"yCol":"_value","yPos":42},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Suricata Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"suridrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":9},{"colors":[{"id":"0","name":"viridian","type":"min","hex":"#32B08C"},{"id":"5IArg2lDb8KvnphywgUXa","name":"pineapple","type":"threshold","hex":"#FFB94A","value":50},{"id":"yFhH3mtavjuAZh6cEt5lx","name":"fire","type":"threshold","hex":"#DC4E58","value":70},{"id":"1","name":"ruby","type":"max","hex":"#BF3D5E","value":100}],"decimalPlaces":0,"height":4,"kind":"Gauge","name":"Swap Usage","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"swap\")\n |> filter(fn: (r) => r[\"_field\"] == \"used_percent\")\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n: 1)\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"}],"staticLegend":{},"suffix":"%","tickSuffix":"%","width":3,"xPos":9,"yPos":2},{"colors":[{"id":"base","name":"white","type":"text","hex":"#ffffff"}],"fieldOptions":[{"displayName":"Host","fieldName":"host","visible":true},{"displayName":"Name","fieldName":"container_name","visible":true},{"displayName":"Status","fieldName":"container_status","visible":true},{"displayName":"OOM Killed","fieldName":"_value","visible":true},{"displayName":"_start","fieldName":"_start","visible":true},{"displayName":"_stop","fieldName":"_stop","visible":true},{"displayName":"_time","fieldName":"_time","visible":true},{"displayName":"_field","fieldName":"_field","visible":true},{"displayName":"_measurement","fieldName":"_measurement","visible":true},{"displayName":"engine_host","fieldName":"engine_host","visible":true},{"displayName":"role","fieldName":"role","visible":true},{"displayName":"server_version","fieldName":"server_version","visible":true},{"displayName":"container_image","fieldName":"container_image","visible":true},{"displayName":"container_version","fieldName":"container_version","visible":true},{"displayName":"description","fieldName":"description","visible":true},{"displayName":"maintainer","fieldName":"maintainer","visible":true},{"displayName":"io.k8s.description","fieldName":"io.k8s.description","visible":true},{"displayName":"io.k8s.display-name","fieldName":"io.k8s.display-name","visible":true},{"displayName":"license","fieldName":"license","visible":true},{"displayName":"name","fieldName":"name","visible":true},{"displayName":"org.label-schema.build-date","fieldName":"org.label-schema.build-date","visible":true},{"displayName":"org.label-schema.license","fieldName":"org.label-schema.license","visible":true},{"displayName":"org.label-schema.name","fieldName":"org.label-schema.name","visible":true},{"displayName":"org.label-schema.schema-version","fieldName":"org.label-schema.schema-version","visible":true},{"displayName":"org.label-schema.url","fieldName":"org.label-schema.url","visible":true},{"displayName":"org.label-schema.vcs-ref","fieldName":"org.label-schema.vcs-ref","visible":true},{"displayName":"org.label-schema.vcs-url","fieldName":"org.label-schema.vcs-url","visible":true},{"displayName":"org.label-schema.vendor","fieldName":"org.label-schema.vendor","visible":true},{"displayName":"org.label-schema.version","fieldName":"org.label-schema.version","visible":true},{"displayName":"org.opencontainers.image.created","fieldName":"org.opencontainers.image.created","visible":true},{"displayName":"org.opencontainers.image.licenses","fieldName":"org.opencontainers.image.licenses","visible":true},{"displayName":"org.opencontainers.image.title","fieldName":"org.opencontainers.image.title","visible":true},{"displayName":"org.opencontainers.image.vendor","fieldName":"org.opencontainers.image.vendor","visible":true},{"displayName":"release","fieldName":"release","visible":true},{"displayName":"summary","fieldName":"summary","visible":true},{"displayName":"url","fieldName":"url","visible":true},{"displayName":"vendor","fieldName":"vendor","visible":true},{"displayName":"version","fieldName":"version","visible":true},{"displayName":"org.label-schema.usage","fieldName":"org.label-schema.usage","visible":true},{"displayName":"org.opencontainers.image.documentation","fieldName":"org.opencontainers.image.documentation","visible":true},{"displayName":"org.opencontainers.image.revision","fieldName":"org.opencontainers.image.revision","visible":true},{"displayName":"org.opencontainers.image.source","fieldName":"org.opencontainers.image.source","visible":true},{"displayName":"org.opencontainers.image.url","fieldName":"org.opencontainers.image.url","visible":true},{"displayName":"org.opencontainers.image.version","fieldName":"org.opencontainers.image.version","visible":true},{"displayName":"org.opencontainers.image.description","fieldName":"org.opencontainers.image.description","visible":true}],"height":4,"kind":"Table","name":"Most Recent Container Events","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"docker_container_status\")\n |> filter(fn: (r) => r[\"_field\"] == \"oomkilled\")\n |> filter(fn: (r) => r[\"container_status\"] != \"running\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"container_name\", \"host\"])\n |> last()\n |> group()\n |> keep(columns: [\"_value\", \"container_name\", \"host\", \"container_status\"])"}],"staticLegend":{},"tableOptions":{"sortBy":"container_name","verticalTimeAxis":true},"timeFormat":"YYYY-MM-DD HH:mm:ss","width":3,"xPos":9,"yPos":6},{"axes":[{"base":"10","name":"x","scale":"linear"},{"name":"y","scale":"linear","suffix":"%"}],"colorizeRows":true,"colors":[{"id":"TtgHQAXNep94KBgtu48C_","name":"Cthulhu","type":"scale","hex":"#FDC44F"},{"id":"_IuzkORho_8QXTE6vMllv","name":"Cthulhu","type":"scale","hex":"#007C76"},{"id":"bUszW_YI_9oColDbLNQ-d","name":"Cthulhu","type":"scale","hex":"#8983FF"}],"geom":"line","height":4,"hoverDimension":"auto","kind":"Xy","legendColorizeRows":true,"legendOpacity":1,"legendOrientationThreshold":100000000,"name":"Zeek Capture Loss","opacity":1,"orientationThreshold":100000000,"position":"overlaid","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"mean\")"},{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nroleFilter = (tables=<-) =>\n if v.Role != \"(All)\" then\n tables |> filter(fn: (r) => r[\"role\"] == v.Role)\n else\n tables\n\nfrom(bucket: \"telegraf/so_long_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"zeekcaptureloss\")\n |> filter(fn: (r) => r[\"_field\"] == \"loss\")\n |> hostFilter()\n |> roleFilter()\n |> group(columns: [\"_field\", \"host\", \"role\"])\n |> aggregateWindow(every: v.windowPeriod, fn: mean, createEmpty: false)\n |> yield(name: \"Trend\")"}],"staticLegend":{"colorizeRows":true,"opacity":1,"orientationThreshold":100000000,"widthRatio":1},"width":3,"widthRatio":1,"xCol":"_time","xPos":9,"yCol":"_value","yPos":38},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"Stenographer Loss","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n\nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"stenodrop\")\n |> filter(fn: (r) => r[\"_field\"] == \"drop\")\n |> map(fn: (r) => ({r with _value: r._value * 100.0}))\n |> hostFilter()\n |> group(columns: [\"host\"])\n |> last()\n |> aggregateWindow(every: v.windowPeriod, fn: mean)\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":"%","width":1,"xPos":10},{"colors":[{"id":"base","name":"laser","type":"text","hex":"#00C9FF"}],"decimalPlaces":1,"height":2,"kind":"Single_Stat","name":"PCAP Retention","queries":[{"query":"hostFilter = (tables=<-) =>\n if v.Host != \"(All)\" then\n tables |> filter(fn: (r) => r[\"host\"] == v.Host)\n else\n tables\n \nfrom(bucket: \"telegraf/so_short_term\")\n |> range(start: v.timeRangeStart, stop: v.timeRangeStop)\n |> filter(fn: (r) => r[\"_measurement\"] == \"pcapage\")\n |> filter(fn: (r) => r[\"_field\"] == \"seconds\")\n |> hostFilter()\n |> map(fn: (r) => ({r with _value: r._value / (24.0 * 60.0 * 60.0)}))\n |> group(columns: [\"host\"])\n |> last()\n |> highestMax(n:1)"}],"staticLegend":{},"suffix":" days","width":1,"xPos":11}],"description":"Visualize the Security Onion grid performance metrics and alarm statuses.","name":"Security Onion Performance"}}] \ No newline at end of file From 01edb5dc003187562b2e723a8433d7a360dca361 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Feb 2023 11:09:37 -0500 Subject: [PATCH 104/470] Update repo URL --- setup/so-functions | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 677bb6da6..ad93bc5ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -626,7 +626,7 @@ configure_ntp() { # Install chrony if it isn't already installed if ! command -v chronyc &> /dev/null; then - logCmd "yum -y install chrony" + logCmd "dnf -y install chrony" fi [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" @@ -2017,10 +2017,10 @@ saltify() { # Install salt if [[ $waitforstate ]]; then # Since this is a salt master so let's install it - logCmd "yum -y install salt-minion salt-master" + logCmd "dnf -y install salt-minion salt-master" else # We just need the minion - logCmd "yum -y install salt-minion" + logCmd "dnf -y install salt-minion" fi fi fi @@ -2358,10 +2358,9 @@ update_sudoers() { } update_packages() { - if [[ $is_centos ]]; then - logCmd "yum repolist" - logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" - logCmd "yum -y install yum-utils" + if [[ $is_rocky ]]; then + logCmd "dnf repolist" + logCmd "dnf -y update --exclude=salt*,wazuh*,docker*,containerd*" else retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 From 790b3c5635ccbb698d0c53eb60805dd82cb27fca Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 15 Feb 2023 16:30:56 +0000 Subject: [PATCH 105/470] Replace 'so-*' index-pattern reference with 'logs-*' for Kibana dashboard visualizations --- salt/kibana/files/saved_objects.ndjson | 1648 ++++++++++++------------ 1 file changed, 824 insertions(+), 824 deletions(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 512ce1532..dfc24e660 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -1,824 +1,824 @@ -{"attributes":{"fieldFormatMap":"{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:elastalert_status*"},"coreMigrationVersion":"7.16.2","id":"*:elastalert_status*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,9],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY0LDE1XQ=="} -{"attributes":{"fieldFormatMap":"{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/#/hunt?q=_id%3A{{value}}\",\"labelTemplate\":\"Hunt and optionally pivot to PCAP/Cases\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/case/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-*"},"coreMigrationVersion":"7.16.2","id":"*:logstash-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,10],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Network Data","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/dashboards#/view/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/dashboards#/view/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/dashboards#/view/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/dashboards#/view/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/dashboards#/view/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/dashboards#/view/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/dashboards#/view/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [Intel](/kibana/app/dashboards#/view/85b529a0-0e5a-11eb-a255-e1e8e85e3571) | [IRC](/kibana/app/dashboards#/view/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/dashboards#/view/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/dashboards#/view/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/dashboards#/view/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/dashboards#/view/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[PE](/kibana/app/dashboards#/view/94b55b90-c761-11ea-bebb-37c5ab5894ea) |\\n[RADIUS](/kibana/app/dashboards#/view/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/dashboards#/view/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/dashboards#/view/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/dashboards#/view/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/dashboards#/view/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/dashboards#/view/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/dashboards#/view/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/dashboards#/view/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/dashboards#/view/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/dashboards#/view/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/dashboards#/view/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/dashboards#/view/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"}}"},"coreMigrationVersion":"7.16.2","id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,11],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY2LDE1XQ=="} -{"attributes":{"fieldFormatMap":"{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip:'{{ value }}')),(term:(destination.ip:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip:'{{ value }}')),(term:(destination.ip:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/#/hunt?q=_id%3A{{value}}\",\"labelTemplate\":\"Hunt and optionally pivot to PCAP/Cases\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.ephemeral_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"agent.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.id.product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"client.user_agent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.history.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"connection.state_description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.euid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.euid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.file.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_cores\"}}},{\"name\":\"data.hardware.cpu_cores.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_cores\"}}},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_mhz\"}}},{\"name\":\"data.hardware.cpu_mhz.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_mhz\"}}},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_name\"}}},{\"name\":\"data.hardware.cpu_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_name\"}}},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_free\"}}},{\"name\":\"data.hardware.ram_free.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_free\"}}},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_total\"}}},{\"name\":\"data.hardware.ram_total.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_total\"}}},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_usage\"}}},{\"name\":\"data.hardware.ram_usage.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_usage\"}}},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.serial\"}}},{\"name\":\"data.hardware.serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.serial\"}}},{\"name\":\"data.hotfix\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hotfix.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hotfix\"}}},{\"name\":\"data.hotfix.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hotfix\"}}},{\"name\":\"data.logname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.logname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.logname\"}}},{\"name\":\"data.logname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.logname\"}}},{\"name\":\"data.netinfo.iface.adapter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.adapter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.adapter\"}}},{\"name\":\"data.netinfo.iface.adapter.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.adapter\"}}},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.address\"}}},{\"name\":\"data.netinfo.iface.ipv4.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.address\"}}},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.broadcast\"}}},{\"name\":\"data.netinfo.iface.ipv4.broadcast.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.broadcast\"}}},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv4.dhcp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv4.gateway.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.metric\"}}},{\"name\":\"data.netinfo.iface.ipv4.metric.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.metric\"}}},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv4.netmask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.address\"}}},{\"name\":\"data.netinfo.iface.ipv6.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.address\"}}},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv6.dhcp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv6.gateway\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.gateway.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv6.gateway.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv6.metric\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.metric.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.metric\"}}},{\"name\":\"data.netinfo.iface.ipv6.metric.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.metric\"}}},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv6.netmask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.netmask\"}}},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mac\"}}},{\"name\":\"data.netinfo.iface.mac.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mac\"}}},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mtu\"}}},{\"name\":\"data.netinfo.iface.mtu.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mtu\"}}},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.name\"}}},{\"name\":\"data.netinfo.iface.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.name\"}}},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_bytes\"}}},{\"name\":\"data.netinfo.iface.rx_bytes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_bytes\"}}},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_dropped\"}}},{\"name\":\"data.netinfo.iface.rx_dropped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_dropped\"}}},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_errors\"}}},{\"name\":\"data.netinfo.iface.rx_errors.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_errors\"}}},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_packets\"}}},{\"name\":\"data.netinfo.iface.rx_packets.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_packets\"}}},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.state\"}}},{\"name\":\"data.netinfo.iface.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.state\"}}},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_bytes\"}}},{\"name\":\"data.netinfo.iface.tx_bytes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_bytes\"}}},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_dropped\"}}},{\"name\":\"data.netinfo.iface.tx_dropped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_dropped\"}}},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_errors\"}}},{\"name\":\"data.netinfo.iface.tx_errors.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_errors\"}}},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_packets\"}}},{\"name\":\"data.netinfo.iface.tx_packets.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_packets\"}}},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.type\"}}},{\"name\":\"data.netinfo.iface.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.type\"}}},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.architecture\"}}},{\"name\":\"data.os.architecture.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.architecture\"}}},{\"name\":\"data.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.build\"}}},{\"name\":\"data.os.build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.build\"}}},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.hostname\"}}},{\"name\":\"data.os.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.hostname\"}}},{\"name\":\"data.os.major\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.major\"}}},{\"name\":\"data.os.major.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.major\"}}},{\"name\":\"data.os.minor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.minor\"}}},{\"name\":\"data.os.minor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.minor\"}}},{\"name\":\"data.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.name\"}}},{\"name\":\"data.os.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.name\"}}},{\"name\":\"data.os.os_release\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.os_release.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.os_release\"}}},{\"name\":\"data.os.os_release.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.os_release\"}}},{\"name\":\"data.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.platform\"}}},{\"name\":\"data.os.platform.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.platform\"}}},{\"name\":\"data.os.release\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.release\"}}},{\"name\":\"data.os.release.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.release\"}}},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.release_version\"}}},{\"name\":\"data.os.release_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.release_version\"}}},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.sysname\"}}},{\"name\":\"data.os.sysname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.sysname\"}}},{\"name\":\"data.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.version\"}}},{\"name\":\"data.os.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.version\"}}},{\"name\":\"data.port.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.inode\"}}},{\"name\":\"data.port.inode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.inode\"}}},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.local_ip\"}}},{\"name\":\"data.port.local_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.local_ip\"}}},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.local_port\"}}},{\"name\":\"data.port.local_port.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.local_port\"}}},{\"name\":\"data.port.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.pid\"}}},{\"name\":\"data.port.pid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.pid\"}}},{\"name\":\"data.port.process\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.process.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.process\"}}},{\"name\":\"data.port.process.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.process\"}}},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.protocol\"}}},{\"name\":\"data.port.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.protocol\"}}},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_ip\"}}},{\"name\":\"data.port.remote_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_ip\"}}},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_port\"}}},{\"name\":\"data.port.remote_port.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_port\"}}},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.rx_queue\"}}},{\"name\":\"data.port.rx_queue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.rx_queue\"}}},{\"name\":\"data.port.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.state\"}}},{\"name\":\"data.port.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.state\"}}},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.tx_queue\"}}},{\"name\":\"data.port.tx_queue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.tx_queue\"}}},{\"name\":\"data.pwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.pwd.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcuser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.srcuser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.title.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.tty.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"data.uid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.endpoint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.named_pipe.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"dce_rpc.operation.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.city_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.continent_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.country_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.region_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.geo.timezone.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.assigned_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.message_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dhcp.requested_address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_reply.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.fc_request.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers.name\"}}},{\"name\":\"dns.answers.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.answers.name\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.highest_registered_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.class_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.query.type_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.response.code_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.top_level_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"ecs.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"error.reason.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.acknowledged\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.code\"}}},{\"name\":\"event.code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.code\"}}},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.created.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.dataset.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.escalated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.kind.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.module.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.provider.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.severity_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"event.timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.analyzer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.compile_timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.description\"}}},{\"name\":\"file.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.description\"}}},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.extracted.filename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.mime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.flavors.yara.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.machine.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mime_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.mimetype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_filenames.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.orig_mime_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.os.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_filenames.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.resp_mime_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.scanners.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.section_names.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.source.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.target\"}}},{\"name\":\"file.target.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target\"}}},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_accessed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_changed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_created.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.times_modified.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.node.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.parent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"file.tree.root.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.argument.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.password.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"ftp.user.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.hassh.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.ja3s.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.md5.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.sha256.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"hash.ssdeep.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.architecture.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.mac.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.family.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.kernel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.platform.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.os.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.changed_attributes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.changed_attributes\"}}},{\"name\":\"host.syscheck.changed_attributes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.changed_attributes\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.event.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.gname_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.md5_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mode\"}}},{\"name\":\"host.syscheck.mode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mode\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.mtime_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.perm_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha1_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.sha256_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.size_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"host.syscheck.uname_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.info_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.proxied.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.referrer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.status_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.uri.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.useragent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"http.virtual_host.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"ingest.timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"intel.indicator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.indicator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.indicator\"}}},{\"name\":\"intel.indicator_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.indicator_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.indicator_type\"}}},{\"name\":\"intel.indicator_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.indicator_type\"}}},{\"name\":\"intel.matched\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.matched.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.matched\"}}},{\"name\":\"intel.matched.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.matched\"}}},{\"name\":\"intel.seen_node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.seen_node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.seen_node\"}}},{\"name\":\"intel.seen_node.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.seen_node\"}}},{\"name\":\"intel.seen_where\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.seen_where.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.seen_where\"}}},{\"name\":\"intel.seen_where.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.seen_where\"}}},{\"name\":\"intel.sources\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.sources.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.sources\"}}},{\"name\":\"intel.sources.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.sources\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.command.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.nickname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"irc.username.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.client_certificate_subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.error_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.request_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.server_certificate_subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.service.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.cipher.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"kerberos.ticket.valid.until.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.file.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.full.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.client_certificate_fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.orig_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.resp_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.server_certificate_fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.tunnel_parents.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.id.uids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.location.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.previous_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_log.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_log.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_output.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"log.previous_output.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"manager.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"modbus.function.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.argument.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.response.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.community_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.data.decoded.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"network.transport.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.note.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.peer_description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.sub_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.dns.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.nb.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.server.tree.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.analyzer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"observer.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendarTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendarTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendarTime\"}}},{\"name\":\"osquery.result.calendarTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendarTime\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.codename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.command\"}}},{\"name\":\"osquery.result.columns.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.command\"}}},{\"name\":\"osquery.result.columns.day_of_month\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.day_of_month.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_month\"}}},{\"name\":\"osquery.result.columns.day_of_month.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_month\"}}},{\"name\":\"osquery.result.columns.day_of_week\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.day_of_week.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_week\"}}},{\"name\":\"osquery.result.columns.day_of_week.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_week\"}}},{\"name\":\"osquery.result.columns.days\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.days.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.days\"}}},{\"name\":\"osquery.result.columns.days.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.days\"}}},{\"name\":\"osquery.result.columns.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.event\"}}},{\"name\":\"osquery.result.columns.event.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.event\"}}},{\"name\":\"osquery.result.columns.hour\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hour.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hour\"}}},{\"name\":\"osquery.result.columns.hour.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hour\"}}},{\"name\":\"osquery.result.columns.hours\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hours.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hours\"}}},{\"name\":\"osquery.result.columns.hours.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hours\"}}},{\"name\":\"osquery.result.columns.minute\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.minute.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minute\"}}},{\"name\":\"osquery.result.columns.minute.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minute\"}}},{\"name\":\"osquery.result.columns.minutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.minutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minutes\"}}},{\"name\":\"osquery.result.columns.minutes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minutes\"}}},{\"name\":\"osquery.result.columns.month\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.month.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.month\"}}},{\"name\":\"osquery.result.columns.month.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.month\"}}},{\"name\":\"osquery.result.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.path\"}}},{\"name\":\"osquery.result.columns.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.path\"}}},{\"name\":\"osquery.result.columns.seconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.seconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.seconds\"}}},{\"name\":\"osquery.result.columns.seconds.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.seconds\"}}},{\"name\":\"osquery.result.columns.total_seconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.total_seconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.total_seconds\"}}},{\"name\":\"osquery.result.columns.total_seconds.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.total_seconds\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.endpoint_ip2.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.hardware_serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.hostIdentifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostIdentifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostIdentifier\"}}},{\"name\":\"osquery.result.hostIdentifier.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostIdentifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.live_query.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unixTime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.args.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.args\"}}},{\"name\":\"process.args.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.args\"}}},{\"name\":\"process.cmd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.cmd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.cmd\"}}},{\"name\":\"process.cmd.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.cmd\"}}},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.command_line.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.egroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.egroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.egroup\"}}},{\"name\":\"process.egroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.egroup\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.entity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.euser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.euser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.euser\"}}},{\"name\":\"process.euser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.euser\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.executable.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.fgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.fgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.fgroup\"}}},{\"name\":\"process.fgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.fgroup\"}}},{\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.nice\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.nice.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.nice\"}}},{\"name\":\"process.nice.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.nice\"}}},{\"name\":\"process.nlwp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.nlwp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.nlwp\"}}},{\"name\":\"process.nlwp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.nlwp\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.command_line.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.entity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.parent.executable.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.company\"}}},{\"name\":\"process.pe.company.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.company\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.file_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.original_file_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pe.product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pgrp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pgrp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pgrp\"}}},{\"name\":\"process.pgrp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pgrp\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.pid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.ppid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.priority\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.priority.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.priority\"}}},{\"name\":\"process.priority.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.priority\"}}},{\"name\":\"process.processor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.processor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.processor\"}}},{\"name\":\"process.processor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.processor\"}}},{\"name\":\"process.resident\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.resident.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.resident\"}}},{\"name\":\"process.resident.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.resident\"}}},{\"name\":\"process.rgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.rgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.rgroup\"}}},{\"name\":\"process.rgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.rgroup\"}}},{\"name\":\"process.ruser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ruser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ruser\"}}},{\"name\":\"process.ruser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.ruser\"}}},{\"name\":\"process.session\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.session.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.session\"}}},{\"name\":\"process.session.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.session\"}}},{\"name\":\"process.sgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.sgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.sgroup\"}}},{\"name\":\"process.sgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.sgroup\"}}},{\"name\":\"process.share\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.share.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.share\"}}},{\"name\":\"process.share.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.share\"}}},{\"name\":\"process.size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.size.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.size\"}}},{\"name\":\"process.size.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.size\"}}},{\"name\":\"process.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.start_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.start_time\"}}},{\"name\":\"process.start_time.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.start_time\"}}},{\"name\":\"process.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.state\"}}},{\"name\":\"process.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.state\"}}},{\"name\":\"process.stime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.stime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.stime\"}}},{\"name\":\"process.stime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.stime\"}}},{\"name\":\"process.suser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.suser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.suser\"}}},{\"name\":\"process.suser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.suser\"}}},{\"name\":\"process.tgid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.tgid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.tgid\"}}},{\"name\":\"process.tgid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.tgid\"}}},{\"name\":\"process.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.tty\"}}},{\"name\":\"process.tty.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.tty\"}}},{\"name\":\"process.utime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.utime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.utime\"}}},{\"name\":\"process.utime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.utime\"}}},{\"name\":\"process.vm_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.vm_size.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.vm_size\"}}},{\"name\":\"process.vm_size.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.vm_size\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"process.working_directory.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.framed_address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.reply_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"radius.result.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.certificate_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.client_build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.cookie.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.encryption_method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.keyboard_layout.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.requested_color_depth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.result.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"rdp.security_protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.attributes.filename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.source.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.author\"}}},{\"name\":\"rule.author.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.author\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.date\"}}},{\"name\":\"rule.date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.date\"}}},{\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"name\":\"rule.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"name\":\"rule.filetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.filetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filetype\"}}},{\"name\":\"rule.filetype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.filetype\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gdpr.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.gpg13.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.groups.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hash1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hash1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hash1\"}}},{\"name\":\"rule.hash1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.hash1\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.hipaa.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"name\":\"rule.info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.maltype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.maltype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.maltype\"}}},{\"name\":\"rule.maltype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.maltype\"}}},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.affected_product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.attack_target.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.created_at.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.deployment.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.former_category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.malware_family.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.performance_impact.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.signature_severity.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.tag.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.metadata.updated_at.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"name\":\"rule.mitre.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.tactic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"name\":\"rule.mitre.tactic.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.technique.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"name\":\"rule.mitre.technique.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.nist_800_53.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.pci_dss.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.reference.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.reference\"}}},{\"name\":\"rule.reference.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.reference\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.rule.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.ruleset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.ruleset\"}}},{\"name\":\"rule.ruleset.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.ruleset\"}}},{\"name\":\"rule.score\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.tsc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"name\":\"rule.tsc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.About.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.AppVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.Author.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BitDepth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.BuildID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.CharacterSet.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.Characters.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodePage.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.CodeSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.ColorType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.Comments.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.Company.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.CompanyName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.Compression.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.CreateDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.Creator.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.CreatorTool.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.Directory.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.DocumentID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.EntryPoint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.Error.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.ExifToolVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileAccessDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileDescription.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileFlagsMask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FileOS.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FilePermissions.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileSubtype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileTypeExtension.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.FileVersionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Filter.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.Format.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HasXFA.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HeadingPairs.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageHeight.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.ImageWidth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InitializedDataSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.InstanceID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.Interlace.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.InternalName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Keywords.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.Language.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LanguageCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LastModifiedBy.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalCopyright.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.LegalTrademarks.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Linearized.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.Lines.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinkerVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.LinksUpToDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MIMEType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.MachineType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.Megapixels.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.ModifyDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.OSVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.ObjectFileType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.OriginalFileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PDFVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PEType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.PageCount.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Pages.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.Paragraphs.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.PrivateBuild.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.Producer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.ScaleCrop.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.Security.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.SharedDoc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.Software.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SourceFile.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.SpecialBuild.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.Subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SubsystemVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.SvnRevision.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.Template.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.TimeStamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.Title.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TitleOfParts.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.TotalEditTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.Trapped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Warning.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.Words.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.XMPToolkit.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.header.header.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.section.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.keys.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.ini.sections.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.mmbot.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.guid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.pdb.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.debug.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.string.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.character_set.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.file_info.var.language.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.dll.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.characteristics.image.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.machine.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.dos.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.magic.image.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\",\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.imphash.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.primary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.language.sub.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.resources.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.characteristics.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.exported.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.imported.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.libraries.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.library.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.symbols.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.symbols.table.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.url.urls.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.functions.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.names.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.operators.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.strings.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vb.tokens.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.auto_exec.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.base64.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.ioc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.suspicious.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.fingerprint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.serial_number.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.namespaces.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.tags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.xml.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.matches.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.reply_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"server.status_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.call_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.content_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.request.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.response.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.seq.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.uri.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"sip.warning.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.file_system.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.service.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smb.share_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.cc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.first_received.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.helo.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.in_reply_to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.last_reply.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.mail_from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.message_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.recipient_to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.second_received.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"smtp.useragent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.community.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.display_string.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.up_since.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"snmp.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.host.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.status.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.user.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.additional_info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"software.version.unparsed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.city_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.continent_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.country_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.region_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.geo.timezone.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.cipher_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.client_host_key_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.compression_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.direction.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_server_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.hassh_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.host_key_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.kex_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.mac_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.server_host_key_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.chain_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.certificate.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.cipher.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.certificate.chain_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.client.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.curve.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.last_alert.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.next_protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.server_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.validation_status.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"ssl.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility_label\"}}},{\"name\":\"syslog.facility_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"syslog.facility_label\"}}},{\"name\":\"syslog.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity_label\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity_label\"}}},{\"name\":\"syslog.severity_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"syslog.severity_label\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"tunnel.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.escalated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.escalated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.escalated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.additional_info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"weird.peer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.activity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.api.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.channel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer\"}}},{\"name\":\"winlog.computer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.computer\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.computer_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.eventRecordID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.eventRecordID\"}}},{\"name\":\"winlog.eventRecordID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.eventRecordID\"}}},{\"name\":\"winlog.eventSourceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.eventSourceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.eventSourceName\"}}},{\"name\":\"winlog.eventSourceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.eventSourceName\"}}},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AccessList.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessList\"}}},{\"name\":\"winlog.event_data.AccessList.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessList\"}}},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AccessMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessMask\"}}},{\"name\":\"winlog.event_data.AccessMask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessMask\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.Address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.AddressLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.Binary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CreationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceNameLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DirtyPages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DirtyPages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DirtyPages\"}}},{\"name\":\"winlog.event_data.DirtyPages.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DirtyPages\"}}},{\"name\":\"winlog.event_data.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FileName\"}}},{\"name\":\"winlog.event_data.FileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FileName\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.FinalStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.HandleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HandleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HandleId\"}}},{\"name\":\"winlog.event_data.HandleId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HandleId\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.Hashes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.HiveName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HiveName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveName\"}}},{\"name\":\"winlog.event_data.HiveName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveName\"}}},{\"name\":\"winlog.event_data.HiveNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HiveNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveNameLength\"}}},{\"name\":\"winlog.event_data.HiveNameLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveNameLength\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.ImageLoaded.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.IntegrityLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.KeysUpdated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.KeysUpdated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.KeysUpdated\"}}},{\"name\":\"winlog.event_data.KeysUpdated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.KeysUpdated\"}}},{\"name\":\"winlog.event_data.LinkName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LinkName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LinkName\"}}},{\"name\":\"winlog.event_data.LinkName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LinkName\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.LogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.NewSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewSize\"}}},{\"name\":\"winlog.event_data.NewSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewSize\"}}},{\"name\":\"winlog.event_data.NewState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewState.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewState\"}}},{\"name\":\"winlog.event_data.NewState.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewState\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.NewTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectName\"}}},{\"name\":\"winlog.event_data.ObjectName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectName\"}}},{\"name\":\"winlog.event_data.ObjectServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectServer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectServer\"}}},{\"name\":\"winlog.event_data.ObjectServer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectServer\"}}},{\"name\":\"winlog.event_data.ObjectType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectType\"}}},{\"name\":\"winlog.event_data.ObjectType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectType\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.OldTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.OriginalSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OriginalSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OriginalSize\"}}},{\"name\":\"winlog.event_data.OriginalSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OriginalSize\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.PreviousTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessID\"}}},{\"name\":\"winlog.event_data.ProcessID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessID\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.ProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryResults.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.QueryStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.Reason.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.ResourceAttributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ResourceAttributes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceAttributes\"}}},{\"name\":\"winlog.event_data.ResourceAttributes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceAttributes\"}}},{\"name\":\"winlog.event_data.ResourceManager\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ResourceManager.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceManager\"}}},{\"name\":\"winlog.event_data.ResourceManager.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceManager\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.RuleName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.Signature.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.SignatureStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.Signed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SubjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TerminalSessionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TransactionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TransactionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TransactionId\"}}},{\"name\":\"winlog.event_data.TransactionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TransactionId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.UtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.authenticationPackageName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.authenticationPackageName\"}}},{\"name\":\"winlog.event_data.authenticationPackageName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.authenticationPackageName\"}}},{\"name\":\"winlog.event_data.callerProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.callerProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessId\"}}},{\"name\":\"winlog.event_data.callerProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessId\"}}},{\"name\":\"winlog.event_data.callerProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.callerProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessName\"}}},{\"name\":\"winlog.event_data.callerProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessName\"}}},{\"name\":\"winlog.event_data.clientProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.clientProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.clientProcessId\"}}},{\"name\":\"winlog.event_data.clientProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.clientProcessId\"}}},{\"name\":\"winlog.event_data.countOfCredentialsReturned\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.countOfCredentialsReturned.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.countOfCredentialsReturned\"}}},{\"name\":\"winlog.event_data.countOfCredentialsReturned.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.countOfCredentialsReturned\"}}},{\"name\":\"winlog.event_data.creationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.creationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.creationUtcTime\"}}},{\"name\":\"winlog.event_data.creationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.creationUtcTime\"}}},{\"name\":\"winlog.event_data.data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.data.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.data\"}}},{\"name\":\"winlog.event_data.data.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.data\"}}},{\"name\":\"winlog.event_data.destinationIsIpv6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.destinationIsIpv6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationIsIpv6\"}}},{\"name\":\"winlog.event_data.destinationIsIpv6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationIsIpv6\"}}},{\"name\":\"winlog.event_data.destinationPortName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.destinationPortName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationPortName\"}}},{\"name\":\"winlog.event_data.destinationPortName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationPortName\"}}},{\"name\":\"winlog.event_data.details\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.details.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.details\"}}},{\"name\":\"winlog.event_data.details.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.details\"}}},{\"name\":\"winlog.event_data.elevatedToken\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.elevatedToken.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.elevatedToken\"}}},{\"name\":\"winlog.event_data.elevatedToken.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.elevatedToken\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.errorCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.eventType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.eventType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.eventType\"}}},{\"name\":\"winlog.event_data.eventType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.eventType\"}}},{\"name\":\"winlog.event_data.hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.hashes\"}}},{\"name\":\"winlog.event_data.hashes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.hashes\"}}},{\"name\":\"winlog.event_data.imagePath\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.imagePath.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.imagePath\"}}},{\"name\":\"winlog.event_data.imagePath.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.imagePath\"}}},{\"name\":\"winlog.event_data.impersonationLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.impersonationLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.impersonationLevel\"}}},{\"name\":\"winlog.event_data.impersonationLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.impersonationLevel\"}}},{\"name\":\"winlog.event_data.initiated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.initiated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.initiated\"}}},{\"name\":\"winlog.event_data.initiated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.initiated\"}}},{\"name\":\"winlog.event_data.integrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.integrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.integrityLevel\"}}},{\"name\":\"winlog.event_data.integrityLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.integrityLevel\"}}},{\"name\":\"winlog.event_data.keyLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.keyLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.keyLength\"}}},{\"name\":\"winlog.event_data.keyLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.keyLength\"}}},{\"name\":\"winlog.event_data.logonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonGuid\"}}},{\"name\":\"winlog.event_data.logonGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonGuid\"}}},{\"name\":\"winlog.event_data.logonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonId\"}}},{\"name\":\"winlog.event_data.logonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonId\"}}},{\"name\":\"winlog.event_data.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonProcessName\"}}},{\"name\":\"winlog.event_data.logonProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonProcessName\"}}},{\"name\":\"winlog.event_data.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonType\"}}},{\"name\":\"winlog.event_data.logonType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonType\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param10\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param10.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param10\"}}},{\"name\":\"winlog.event_data.param10.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param10\"}}},{\"name\":\"winlog.event_data.param11\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param11.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param11\"}}},{\"name\":\"winlog.event_data.param11.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param11\"}}},{\"name\":\"winlog.event_data.param16\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param16.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param16\"}}},{\"name\":\"winlog.event_data.param16.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param16\"}}},{\"name\":\"winlog.event_data.param19\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param19.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param19\"}}},{\"name\":\"winlog.event_data.param19.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param19\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param2.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param20\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param20.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param20\"}}},{\"name\":\"winlog.event_data.param20.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param20\"}}},{\"name\":\"winlog.event_data.param21\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param21.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param21\"}}},{\"name\":\"winlog.event_data.param21.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param21\"}}},{\"name\":\"winlog.event_data.param22\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param22.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param22\"}}},{\"name\":\"winlog.event_data.param22.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param22\"}}},{\"name\":\"winlog.event_data.param23\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param23.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param23\"}}},{\"name\":\"winlog.event_data.param23.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param23\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param3.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param4.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param5.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.param7.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.param8\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param8.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param8\"}}},{\"name\":\"winlog.event_data.param8.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param8\"}}},{\"name\":\"winlog.event_data.param9\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param9.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param9\"}}},{\"name\":\"winlog.event_data.param9.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param9\"}}},{\"name\":\"winlog.event_data.privilegeList\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.privilegeList.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.privilegeList\"}}},{\"name\":\"winlog.event_data.privilegeList.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.privilegeList\"}}},{\"name\":\"winlog.event_data.processCreationTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processCreationTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processCreationTime\"}}},{\"name\":\"winlog.event_data.processCreationTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processCreationTime\"}}},{\"name\":\"winlog.event_data.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processId\"}}},{\"name\":\"winlog.event_data.processId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processId\"}}},{\"name\":\"winlog.event_data.processName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processName\"}}},{\"name\":\"winlog.event_data.processName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processName\"}}},{\"name\":\"winlog.event_data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.protocol\"}}},{\"name\":\"winlog.event_data.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.protocol\"}}},{\"name\":\"winlog.event_data.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryName\"}}},{\"name\":\"winlog.event_data.queryName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryName\"}}},{\"name\":\"winlog.event_data.queryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryResults\"}}},{\"name\":\"winlog.event_data.queryResults.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryResults\"}}},{\"name\":\"winlog.event_data.queryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryStatus\"}}},{\"name\":\"winlog.event_data.queryStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryStatus\"}}},{\"name\":\"winlog.event_data.readOperation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.readOperation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.readOperation\"}}},{\"name\":\"winlog.event_data.readOperation.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.readOperation\"}}},{\"name\":\"winlog.event_data.returnCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.returnCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.returnCode\"}}},{\"name\":\"winlog.event_data.returnCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.returnCode\"}}},{\"name\":\"winlog.event_data.ruleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ruleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ruleName\"}}},{\"name\":\"winlog.event_data.ruleName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ruleName\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.serviceGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceName\"}}},{\"name\":\"winlog.event_data.serviceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceName\"}}},{\"name\":\"winlog.event_data.serviceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceType\"}}},{\"name\":\"winlog.event_data.serviceType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceType\"}}},{\"name\":\"winlog.event_data.sourceIsIpv6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.sourceIsIpv6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.sourceIsIpv6\"}}},{\"name\":\"winlog.event_data.sourceIsIpv6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.sourceIsIpv6\"}}},{\"name\":\"winlog.event_data.startType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.startType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.startType\"}}},{\"name\":\"winlog.event_data.startType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.startType\"}}},{\"name\":\"winlog.event_data.subjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectDomainName\"}}},{\"name\":\"winlog.event_data.subjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectDomainName\"}}},{\"name\":\"winlog.event_data.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectLogonId\"}}},{\"name\":\"winlog.event_data.subjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectLogonId\"}}},{\"name\":\"winlog.event_data.subjectUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserName\"}}},{\"name\":\"winlog.event_data.subjectUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserName\"}}},{\"name\":\"winlog.event_data.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserSid\"}}},{\"name\":\"winlog.event_data.subjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserSid\"}}},{\"name\":\"winlog.event_data.targetDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetDomainName\"}}},{\"name\":\"winlog.event_data.targetDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetDomainName\"}}},{\"name\":\"winlog.event_data.targetLinkedLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetLinkedLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLinkedLogonId\"}}},{\"name\":\"winlog.event_data.targetLinkedLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLinkedLogonId\"}}},{\"name\":\"winlog.event_data.targetLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLogonId\"}}},{\"name\":\"winlog.event_data.targetLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLogonId\"}}},{\"name\":\"winlog.event_data.targetName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetName\"}}},{\"name\":\"winlog.event_data.targetName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetName\"}}},{\"name\":\"winlog.event_data.targetObject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetObject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetObject\"}}},{\"name\":\"winlog.event_data.targetObject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetObject\"}}},{\"name\":\"winlog.event_data.targetSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetSid\"}}},{\"name\":\"winlog.event_data.targetSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetSid\"}}},{\"name\":\"winlog.event_data.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserName\"}}},{\"name\":\"winlog.event_data.targetUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserName\"}}},{\"name\":\"winlog.event_data.targetUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserSid\"}}},{\"name\":\"winlog.event_data.targetUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserSid\"}}},{\"name\":\"winlog.event_data.terminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.terminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.terminalSessionId\"}}},{\"name\":\"winlog.event_data.terminalSessionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.terminalSessionId\"}}},{\"name\":\"winlog.event_data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.type\"}}},{\"name\":\"winlog.event_data.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.type\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_data.updateTitle.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_data.utcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.utcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.utcTime\"}}},{\"name\":\"winlog.event_data.utcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.utcTime\"}}},{\"name\":\"winlog.event_data.virtualAccount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.virtualAccount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.virtualAccount\"}}},{\"name\":\"winlog.event_data.virtualAccount.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.virtualAccount\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.keywords.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.level\"}}},{\"name\":\"winlog.level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.level\"}}},{\"name\":\"winlog.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.message\"}}},{\"name\":\"winlog.message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.message\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.opcode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.processID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.processID\"}}},{\"name\":\"winlog.processID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.processID\"}}},{\"name\":\"winlog.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.providerGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.providerGuid\"}}},{\"name\":\"winlog.providerGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.providerGuid\"}}},{\"name\":\"winlog.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.providerName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.providerName\"}}},{\"name\":\"winlog.providerName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.providerName\"}}},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_guid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.provider_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.severityValue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.severityValue\"}}},{\"name\":\"winlog.severityValue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.severityValue\"}}},{\"name\":\"winlog.systemTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.systemTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.systemTime\"}}},{\"name\":\"winlog.systemTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.systemTime\"}}},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.task.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.threadID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.threadID\"}}},{\"name\":\"winlog.threadID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.threadID\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.identifier.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectDomainName\"}}},{\"name\":\"winlog.user_data.SubjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectDomainName\"}}},{\"name\":\"winlog.user_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectLogonId\"}}},{\"name\":\"winlog.user_data.SubjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectLogonId\"}}},{\"name\":\"winlog.user_data.SubjectUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserName\"}}},{\"name\":\"winlog.user_data.SubjectUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserName\"}}},{\"name\":\"winlog.user_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserSid\"}}},{\"name\":\"winlog.user_data.SubjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserSid\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.user_data.xml_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.curve.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.exponent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.key.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.not_valid_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.signing_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"x509.san_dns.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}}]","timeFieldName":"@timestamp","title":"*:so-*"},"coreMigrationVersion":"7.16.2","id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,12],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"coreMigrationVersion":"7.16.2","id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,14],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Logs Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"7.16.2","id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,16],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,18],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjcwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,20],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Sender","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"},"coreMigrationVersion":"7.16.2","id":"7a789740-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,22],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Recipient","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a5742950-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,24],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - TLS","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,26],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,28],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"},"coreMigrationVersion":"7.16.2","id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,30],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc2LDE1XQ=="} -{"attributes":{"columns":["source.ip","source.port","destination.ip","destination.port","log.id.uid","network.community_id","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[],"title":"Security Onion - All Logs","version":1},"coreMigrationVersion":"7.16.2","id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,32],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"4053cc7e-9771-46d9-8e03-e430ab096805\"},\"panelIndex\":\"4053cc7e-9771-46d9-8e03-e430ab096805\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SMTP","version":1},"coreMigrationVersion":"7.16.2","id":"00304500-75e7-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"7a789740-75e7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"a5742950-75e7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e77a2b60-75e7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"0713ebf0-75e8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"4178ce00-75e8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,44],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc4LDE1XQ=="} -{"attributes":{"columns":["note","source_ip","destination_ip","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Notices - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,46],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,48],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/dashboards#/view/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/dashboards#/view/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/dashboards#/view/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/dashboards#/view/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/dashboards#/view/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/dashboards#/view/7f27a830-34e5-11e7-9669-7f1d3242b798)   \\n\\n**Bro Hunting** \\n[Connections](/kibana/app/dashboards#/view/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/dashboards#/view/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/dashboards#/view/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/dashboards#/view/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/dashboards#/view/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/dashboards#/view/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/dashboards#/view/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/dashboards#/view/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/dashboards#/view/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/dashboards#/view/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/dashboards#/view/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/dashboards#/view/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/dashboards#/view/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/dashboards#/view/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/dashboards#/view/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/dashboards#/view/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/dashboards#/view/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/dashboards#/view/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/dashboards#/view/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/dashboards#/view/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/dashboards#/view/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/dashboards#/view/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/dashboards#/view/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/dashboards#/view/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/dashboards#/view/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/dashboards#/view/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/dashboards#/view/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/dashboards#/view/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/dashboards#/view/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/dashboards#/view/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/dashboards#/view/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/dashboards#/view/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/dashboards#/view/3a457d70-3583-11e7-a588-05992195c551)  \\n[Sysmon](/kibana/app/dashboards#/view/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/dashboards#/view/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/dashboards#/view/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/dashboards#/view/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/dashboards#/view/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/dashboards#/view/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"},"coreMigrationVersion":"7.16.2","id":"b3b449d0-3429-11e7-9d52-4f090484f59e","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,49],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Source IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"66e26ad0-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,51],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Destination IP Addresses","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7c47b650-3580-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,53],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Notice Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,55],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"53c62730-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,57],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - File Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"793c2640-39ad-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,59],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notice - Destination Port (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,61],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Notice - Message/Sub-Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,63],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Notices - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG1uC-xQT5EBNmq3dP","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,65],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Notices - Notice Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,67],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjkwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Notices - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1a879c90-4ca5-11e8-888d-71b91451cf05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,69],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjkxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - Bro - Notices","version":1},"coreMigrationVersion":"7.16.2","id":"01600fb0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"3027c4f0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"66e26ad0-3580-11e7-98ef-19df58fe538b","name":"panel_2","type":"visualization"},{"id":"7c47b650-3580-11e7-98ef-19df58fe538b","name":"panel_3","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"53c62730-39ad-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"793c2640-39ad-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"e85e2150-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"bfeb6210-7bb9-11e7-90ec-cdd3dff73b38","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"0a3bfbe0-342f-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"1a879c90-4ca5-11e8-888d-71b91451cf05","name":"panel_12","type":"visualization"}],"sort":[1643385898421,83],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjkyLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NTLM - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,85],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,87],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,89],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,91],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,93],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,95],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,97],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNjk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHCEx7xQT5EBNmq4Vf","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,99],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzAwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NTLM - Hostname to Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"},"coreMigrationVersion":"7.16.2","id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,101],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server NetBIOS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c23ea470-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,103],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server DNS Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,105],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzAzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NTLM - Server Tree Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2a054320-0edd-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,107],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - Bro - NTLM","version":1},"coreMigrationVersion":"7.16.2","id":"022713e0-3ab0-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"c21f4fa0-3aab-11e7-8b17-0d8709b02c80","name":"panel_2","type":"search"},{"id":"e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"d37b9330-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"f3a92f50-3af1-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"d7f162b0-6e1c-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCEx7xQT5EBNmq4Vf","name":"panel_8","type":"visualization"},{"id":"75ab1050-4a59-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"c23ea470-0edc-11e9-9846-59f545e7293f","name":"panel_10","type":"visualization"},{"id":"ee6a03f0-0edc-11e9-9846-59f545e7293f","name":"panel_11","type":"visualization"},{"id":"2a054320-0edd-11e9-9846-59f545e7293f","name":"panel_12","type":"visualization"}],"sort":[1643385898421,121],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA1LDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Network Data","version":1},"coreMigrationVersion":"7.16.2","id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,123],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0242ab70-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,125],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Files","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/dashboards#/view/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/dashboards#/view/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"},"coreMigrationVersion":"7.16.2","id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,126],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"7.16.2","id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,128],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Modules\"}"},"coreMigrationVersion":"7.16.2","id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,130],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,132],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzExLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,134],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzEyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Total Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"},"coreMigrationVersion":"7.16.2","id":"efc25540-75f1-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,136],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,138],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE0LDE1XQ=="} -{"attributes":{"columns":["event.module","source.ip","destination.ip","file.mime_type","log.id.fuid","hash.sha1","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[],"title":"Security Onion - File Logs","version":1},"coreMigrationVersion":"7.16.2","id":"b0dc2460-0e4d-11eb-a255-e1e8e85e3571","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,140],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"cfa99d8f-e7d6-46d5-9e7f-5dc5c3371275\"},\"panelIndex\":\"cfa99d8f-e7d6-46d5-9e7f-5dc5c3371275\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Files","version":1},"coreMigrationVersion":"7.16.2","id":"0245be10-6ec1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"9a5058f0-6e99-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"b0dc2460-0e4d-11eb-a255-e1e8e85e3571","name":"panel_8","type":"search"}],"sort":[1643385898421,150],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE2LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSL - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,152],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Version (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"02699580-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,154],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE4LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SIP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"9e131480-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,156],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzE5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,158],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzIwLDE1XQ=="} -{"attributes":{"fieldAttrs":"{\"event.action\":{\"count\":8},\"host.user.name\":{\"count\":2},\"endgame.event_type_full\":{\"count\":5},\"host.name\":{\"count\":7},\"host.os.name\":{\"count\":3},\"host.os.name.text\":{\"count\":1},\"endgame.event_subtype_full\":{\"count\":3},\"event.category\":{\"count\":5},\"process.name\":{\"count\":6},\"process.parent.name\":{\"count\":1},\"agent.id\":{\"count\":2},\"process.executable\":{\"count\":3},\"type\":{\"count\":3},\"host.name.keyword\":{\"count\":2},\"event.sequence\":{\"count\":3},\"host.os.family\":{\"count\":1},\"host.os.platform\":{\"count\":1},\"event.type\":{\"count\":8},\"metadata.action\":{\"count\":2},\"user.name\":{\"count\":1},\"@version\":{\"count\":2},\"@timestamp\":{\"count\":1},\"registry.path\":{\"count\":1},\"related.user\":{\"count\":1},\"event.kind\":{\"count\":1},\"event.severity\":{\"count\":1},\"file.name\":{\"count\":4},\"host.domain\":{\"count\":1},\"process.command_line\":{\"count\":1},\"_id\":{\"count\":1},\"client.bytes\":{\"count\":2},\"destination.bytes\":{\"count\":2},\"network.bytes\":{\"count\":2},\"server.bytes\":{\"count\":2},\"source.bytes\":{\"count\":2},\"client.ip\":{\"count\":1},\"destination.ip\":{\"count\":1},\"source.ip\":{\"count\":1},\"file.attributes\":{\"count\":6},\"file.directory\":{\"count\":3},\"file.extension\":{\"count\":2},\"file.gid\":{\"count\":2},\"file.group\":{\"count\":2},\"host.hostname\":{\"count\":1},\"host.ip\":{\"count\":1},\"related.ip\":{\"count\":2},\"user.domain\":{\"count\":2}}","fieldFormatMap":"{\"process.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:process.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(process.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"user.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:user.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(user.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.type\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:event.module,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"network.transport\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:network.transport,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(network.transport:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:source.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(source.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:host.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(host.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"registry.key\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:registry.key,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(registry.key:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:host.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(host.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:destination.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(destination.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"event.category.dashboard\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{ rawValue }}\",\"labelTemplate\":\"{{ value }}\"}}}","fields":"[]","runtimeFieldMap":"{\"event.category.dashboard\":{\"type\":\"keyword\",\"script\":{\"source\":\"def source = doc['event.category'].value;\\nMap urls = new HashMap();\\nurls.put(\\\"authentication\\\", \\\"dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"file\\\", \\\"dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"network\\\", \\\"dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36\\\");\\nurls.put(\\\"process\\\", \\\"dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"registry\\\", \\\"dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"driver\\\", \\\"dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635\\\");\\nif (source != null) {\\n\\tdef url = urls.get(source);\\n\\tif (url != null) {\\n\\t\\temit(url);\\n return;\\n\\t}\\n}\\nemit(\\\"None\\\");\"}}}","timeFieldName":"@timestamp","title":"endgame-*","typeMeta":"{}"},"coreMigrationVersion":"7.16.2","id":"endgame-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,159],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzIxLDE1XQ=="} -{"attributes":{"columns":["host.name","registry.path","related.user"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - Registry Events","version":1},"coreMigrationVersion":"7.16.2","id":"0359b740-64cc-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,161],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzIyLDE1XQ=="} -{"attributes":{"color":"#D36086","description":"","name":"Endgame"},"coreMigrationVersion":"7.16.2","id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","references":[],"sort":[1643385898421,162],"type":"tag","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzIzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"1828f449-a2e9-4ed2-a72c-e6f22382569e":{"columnOrder":["e5498d4d-b9af-4016-8afc-e4639ceb6c10","e5acabfb-508c-4778-adfb-e41ca3adbc23","cf39428c-7790-4793-8906-cb5f02fd2f0f","f42194c4-5434-42cb-ad39-e2756562f3ed","25c7f5d8-ce06-4da5-b769-820ba42e328e","d043970e-d696-48bc-905d-8f1f45019e3d"],"columns":{"25c7f5d8-ce06-4da5-b769-820ba42e328e":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.os.family","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.os.family"},"cf39428c-7790-4793-8906-cb5f02fd2f0f":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"host.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.ip"},"d043970e-d696-48bc-905d-8f1f45019e3d":{"customLabel":true,"dataType":"string","isBucketed":false,"label":"host.os.version","operationType":"last_value","params":{"sortField":"@timestamp"},"scale":"ordinal","sourceField":"host.os.version"},"e5498d4d-b9af-4016-8afc-e4639ceb6c10":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"host.name"},"e5acabfb-508c-4778-adfb-e41ca3adbc23":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.id","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.id"},"f42194c4-5434-42cb-ad39-e2756562f3ed":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.os.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.os.name"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"e5498d4d-b9af-4016-8afc-e4639ceb6c10","isTransposed":false,"width":460.98333333333335},{"columnId":"cf39428c-7790-4793-8906-cb5f02fd2f0f","isTransposed":false,"width":254.98333333333332},{"columnId":"d043970e-d696-48bc-905d-8f1f45019e3d","isTransposed":false,"width":175.98333333333335},{"columnId":"f42194c4-5434-42cb-ad39-e2756562f3ed","isTransposed":false,"width":200.98333333333335},{"columnId":"e5acabfb-508c-4778-adfb-e41ca3adbc23","isTransposed":false,"width":515.8333333333334},{"columnId":"25c7f5d8-ce06-4da5-b769-820ba42e328e","isTransposed":false,"width":201.23333333333332}],"layerId":"1828f449-a2e9-4ed2-a72c-e6f22382569e","layerType":"data"}},"title":"Endgame - Host Information Table","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"03935e10-6a20-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,166],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9643f560-7a46-408c-b61d-ed2a87fc6103":{"columnOrder":["305b2f21-9981-40d5-a79b-f7a78eea89b4","3520723b-f0f3-4845-975c-e97380d8124b"],"columns":{"305b2f21-9981-40d5-a79b-f7a78eea89b4":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3520723b-f0f3-4845-975c-e97380d8124b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"process.name"},"3520723b-f0f3-4845-975c-e97380d8124b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"layers":[{"categoryDisplay":"default","groups":["305b2f21-9981-40d5-a79b-f7a78eea89b4"],"layerId":"9643f560-7a46-408c-b61d-ed2a87fc6103","layerType":"data","legendDisplay":"default","metric":"3520723b-f0f3-4845-975c-e97380d8124b","nestedLegend":false,"numberDisplay":"percent"}],"palette":{"name":"kibana_palette","type":"palette"},"shape":"treemap"}},"title":"Endgame - Alert Process","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"0406add0-6e48-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,170],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI1LDE1XQ=="} -{"attributes":{"columns":["osquery.columns.permissions","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions - Sensitive Permissions","version":1},"coreMigrationVersion":"7.16.2","id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,172],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,174],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI3LDE1XQ=="} -{"attributes":{"columns":["osquery.hostname","osquery.columns.username","osquery.LiveQuery","osquery.columns.name"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Chrome Extensions","version":1},"coreMigrationVersion":"7.16.2","id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,176],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Changes by Hostname","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"coreMigrationVersion":"7.16.2","id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"sort":[1643385898421,178],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Top Network Protocols","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,180],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzMwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Transport","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,182],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzMxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category: network\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"w\":14,\"x\":13,\"y\":0},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"w\":13,\"x\":0,\"y\":9},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"w\":11,\"x\":13,\"y\":9},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"w\":12,\"x\":24,\"y\":9},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"w\":12,\"x\":36,\"y\":9},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":29,\"i\":\"55902091-6959-4127-a969-4015fbf124d3\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"55902091-6959-4127-a969-4015fbf124d3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Network","version":1},"coreMigrationVersion":"7.16.2","id":"04ff3ef0-6ea4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"79cc9670-6ead-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,191],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzMyLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Connections - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"9bf42190-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,193],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Missed Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"05088150-3670-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,195],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"},"coreMigrationVersion":"7.16.2","id":"052df440-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,197],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - GID/SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"},"coreMigrationVersion":"7.16.2","id":"053f7130-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,199],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Originator Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,201],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM3LDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"osquery - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"84116380-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,203],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"},"coreMigrationVersion":"7.16.2","id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"sort":[1643385898421,205],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzM5LDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"FTP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,207],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"06f21d60-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,209],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"},"coreMigrationVersion":"7.16.2","id":"07065340-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,211],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"b40ff395-6c20-4678-8aab-a74568f9a5cf":{"columnOrder":["7588aa5a-05de-44d8-952a-7e7f7f6e5519","0a2006cd-c185-4cf3-b9dc-7b395ca048cf","1fed253e-8c24-4b33-94e4-1114efd871b4","fa5b5762-e154-4170-8e31-110029d67cd0"],"columns":{"0a2006cd-c185-4cf3-b9dc-7b395ca048cf":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"fa5b5762-e154-4170-8e31-110029d67cd0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"user.name"},"1fed253e-8c24-4b33-94e4-1114efd871b4":{"customLabel":true,"dataType":"string","isBucketed":false,"label":"event.outcome","operationType":"last_value","params":{"sortField":"@timestamp"},"scale":"ordinal","sourceField":"event.outcome"},"7588aa5a-05de-44d8-952a-7e7f7f6e5519":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"host.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"fa5b5762-e154-4170-8e31-110029d67cd0","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.ip"},"fa5b5762-e154-4170-8e31-110029d67cd0":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"1fed253e-8c24-4b33-94e4-1114efd871b4"},{"columnId":"7588aa5a-05de-44d8-952a-7e7f7f6e5519","isTransposed":false},{"columnId":"fa5b5762-e154-4170-8e31-110029d67cd0","isTransposed":false},{"columnId":"0a2006cd-c185-4cf3-b9dc-7b395ca048cf","isTransposed":false}],"layerId":"b40ff395-6c20-4678-8aab-a74568f9a5cf","layerType":"data"}},"title":"Endgame - Auth Event Outcome","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"072ae530-6d6c-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-b40ff395-6c20-4678-8aab-a74568f9a5cf","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,216],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Section","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.section_names.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Section\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Section\"}"},"coreMigrationVersion":"7.16.2","id":"07419650-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,218],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ0LDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Intel - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,220],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Indicator Type (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,222],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ2LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"MySQL - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"5d624230-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,224],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,226],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - HTTP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"coreMigrationVersion":"7.16.2","id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,228],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SHA256","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,230],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzUwLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"a4e4fe43-0662-4a4f-a5b1-57b8f6475336":{"columnOrder":["198124aa-9a71-41ea-bcc5-1938e8373b85","80ce6212-7318-4c10-90ad-bb58171524d0","556f58d4-2449-46ab-ba8c-db6846dcb74a","fa795a61-1d89-491e-87de-ba6469644719"],"columns":{"198124aa-9a71-41ea-bcc5-1938e8373b85":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"server.address","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"fa795a61-1d89-491e-87de-ba6469644719","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"server.address"},"556f58d4-2449-46ab-ba8c-db6846dcb74a":{"dataType":"number","isBucketed":true,"label":"server.port","operationType":"range","params":{"maxBars":"auto","ranges":[{"from":0,"label":"","to":1000}],"type":"histogram"},"scale":"interval","sourceField":"server.port"},"80ce6212-7318-4c10-90ad-bb58171524d0":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"network.transport","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"fa795a61-1d89-491e-87de-ba6469644719","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"network.transport"},"fa795a61-1d89-491e-87de-ba6469644719":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"198124aa-9a71-41ea-bcc5-1938e8373b85","isTransposed":false},{"columnId":"80ce6212-7318-4c10-90ad-bb58171524d0","isTransposed":false},{"columnId":"fa795a61-1d89-491e-87de-ba6469644719","isTransposed":false},{"columnId":"556f58d4-2449-46ab-ba8c-db6846dcb74a","isTransposed":false}],"layerId":"a4e4fe43-0662-4a4f-a5b1-57b8f6475336","layerType":"data"}},"title":"Endgame - Network Transport","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"09227f50-6e44-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-a4e4fe43-0662-4a4f-a5b1-57b8f6475336","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,235],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzUxLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SSH - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"c33e7600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,237],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,239],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Hash - MD5","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"},"coreMigrationVersion":"7.16.2","id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,241],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU0LDE1XQ=="} -{"attributes":{"columns":["source_ip","syslog-host_from","syslog-priority"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (All) - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,243],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Host From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"sort":[1643385898421,245],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU2LDE1XQ=="} -{"attributes":{"columns":["host","certificate_subject","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"X.509 - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,247],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,249],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU4LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RDP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"823dd600-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,251],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,253],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzYwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Certificate Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,255],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzYxLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"d46522e0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,257],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,259],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"title":"Endgame - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Navigation\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":true,\"markdown\":\"**Kibana** \\n[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n[Alerts](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) |\\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame Console** \\n [Dashboard](https://ENDGAMEHOST/dashboard) | [Alerts](https://ENDGAMEHOST/alerts/dashboard)\"}}"},"coreMigrationVersion":"7.16.2","id":"754f7380-6d82-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"},{"id":"0b963f20-6f9c-11ec-864c-8b5450f97635","name":"tag-0b963f20-6f9c-11ec-864c-8b5450f97635","type":"tag"}],"sort":[1643385898421,262],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"842f61f9-afc4-44dc-a6bd-e3cc66a8827b":{"columnOrder":["2834ba67-2809-442b-b80b-4b17d3a67d43"],"columns":{"2834ba67-2809-442b-b80b-4b17d3a67d43":{"customLabel":true,"dataType":"number","isBucketed":false,"label":" Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"accessor":"2834ba67-2809-442b-b80b-4b17d3a67d43","layerId":"842f61f9-afc4-44dc-a6bd-e3cc66a8827b","layerType":"data"}},"title":"Endgame - Alerts All Logs","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"914d4890-6e46-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,266],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"0600494b-6f03-450b-8dab-981005aedf32":{"columnOrder":["0f00561d-d6d7-46b2-af59-4ea225a9893a","34e0e2cc-aab4-4581-9bc4-aba527024007"],"columns":{"0f00561d-d6d7-46b2-af59-4ea225a9893a":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"34e0e2cc-aab4-4581-9bc4-aba527024007":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","params":{"format":{"id":"number","params":{"decimals":0}}},"scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":false,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["34e0e2cc-aab4-4581-9bc4-aba527024007"],"layerId":"0600494b-6f03-450b-8dab-981005aedf32","layerType":"data","position":"top","seriesType":"bar","showGridlines":false,"xAccessor":"0f00561d-d6d7-46b2-af59-4ea225a9893a"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Alert Logs Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"d94cae10-6e46-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,270],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3b6026b4-9c36-4fbc-9f90-bd5580303bea":{"columnOrder":["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721","ff0a89b4-427d-4739-bb83-86794a1f4289"],"columns":{"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"user.name"},"ff0a89b4-427d-4739-bb83-86794a1f4289":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"columns":[{"columnId":"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"},{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289"}],"layerId":"3b6026b4-9c36-4fbc-9f90-bd5580303bea","layerType":"data"}},"title":"Endgame - Alert User Name","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"f376b820-6e47-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,274],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY3LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3dff58f4-dda3-4f2d-9e31-d8552e12eb13":{"columnOrder":["8e1fb558-637d-42a8-9127-002e698bde8a","8546cccc-256d-4ef9-8de6-2825a3a5a649","f6f670d2-0af3-4432-97d4-8ac112cb7102"],"columns":{"8546cccc-256d-4ef9-8de6-2825a3a5a649":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"command_line","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f6f670d2-0af3-4432-97d4-8ac112cb7102","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"process.command_line"},"8e1fb558-637d-42a8-9127-002e698bde8a":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.domain","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f6f670d2-0af3-4432-97d4-8ac112cb7102","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.domain"},"f6f670d2-0af3-4432-97d4-8ac112cb7102":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"columns":[{"columnId":"8546cccc-256d-4ef9-8de6-2825a3a5a649","isTransposed":false,"width":432.33333333333337},{"columnId":"8e1fb558-637d-42a8-9127-002e698bde8a","isTransposed":false,"width":197.83333333333331},{"columnId":"f6f670d2-0af3-4432-97d4-8ac112cb7102","isTransposed":false}],"layerId":"3dff58f4-dda3-4f2d-9e31-d8552e12eb13","layerType":"data"}},"title":"Endgame - Alerts Host Domain","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"1fd82420-6e3a-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3dff58f4-dda3-4f2d-9e31-d8552e12eb13","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,278],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"46832f84-f86b-4914-a3ac-aaeda9f09cf7":{"columnOrder":["77069155-4e9a-4727-b888-648fed60258e","e7878efe-2181-449d-afd3-771296665829","738c056c-c4eb-4855-a690-90fa5b9e23f8","02c8c47e-9b96-4384-b467-1fd9cff2b78b","d61f74aa-1899-4881-a2cc-d0dc7cbf28df","6de07e81-5ee7-4885-af47-26b401667757","895abdf3-8c99-4473-a904-b379d478aae1","e30b3573-c58d-4b82-853d-70c1d090d641"],"columns":{"02c8c47e-9b96-4384-b467-1fd9cff2b78b":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.command_line","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.command_line"},"6de07e81-5ee7-4885-af47-26b401667757":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"file.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"file.name"},"738c056c-c4eb-4855-a690-90fa5b9e23f8":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Category","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"event.category"},"77069155-4e9a-4727-b888-648fed60258e":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.id ","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"event.id"},"895abdf3-8c99-4473-a904-b379d478aae1":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.domain","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.domain"},"d61f74aa-1899-4881-a2cc-d0dc7cbf28df":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.name"},"e30b3573-c58d-4b82-853d-70c1d090d641":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e7878efe-2181-449d-afd3-771296665829":{"customLabel":true,"dataType":"number","isBucketed":true,"label":"Severity","operationType":"range","params":{"maxBars":"auto","ranges":[{"from":0,"label":"","to":1000}],"type":"histogram"},"scale":"interval","sourceField":"event.severity"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"columns":[{"columnId":"77069155-4e9a-4727-b888-648fed60258e","isTransposed":false},{"alignment":"center","columnId":"e7878efe-2181-449d-afd3-771296665829","isTransposed":false},{"columnId":"738c056c-c4eb-4855-a690-90fa5b9e23f8","isTransposed":false},{"columnId":"02c8c47e-9b96-4384-b467-1fd9cff2b78b","isTransposed":false},{"columnId":"d61f74aa-1899-4881-a2cc-d0dc7cbf28df","isTransposed":false},{"columnId":"6de07e81-5ee7-4885-af47-26b401667757","isTransposed":false},{"columnId":"895abdf3-8c99-4473-a904-b379d478aae1","isTransposed":false},{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","hidden":true,"isTransposed":false}],"layerId":"46832f84-f86b-4914-a3ac-aaeda9f09cf7","layerType":"data"}},"title":"Endgame - Alerts Events","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"ca0f3e20-6e48-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,282],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzY5LDE1XQ=="} -{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.kind\",\"params\":{\"query\":\"alert\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - Alert Search","version":1},"coreMigrationVersion":"7.16.2","id":"3ab5c280-6f06-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,285],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzcwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":11,\"i\":\"3aa898cc-eaa4-47ea-962f-fd5be8255144\"},\"panelIndex\":\"3aa898cc-eaa4-47ea-962f-fd5be8255144\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_3aa898cc-eaa4-47ea-962f-fd5be8255144\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":9,\"h\":11,\"i\":\"1ab268d3-b117-4d65-b568-d53af35bebb4\"},\"panelIndex\":\"1ab268d3-b117-4d65-b568-d53af35bebb4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b\"}],\"state\":{\"visualization\":{\"layerId\":\"842f61f9-afc4-44dc-a6bd-e3cc66a8827b\",\"accessor\":\"2834ba67-2809-442b-b80b-4b17d3a67d43\",\"layerType\":\"data\"},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"842f61f9-afc4-44dc-a6bd-e3cc66a8827b\":{\"columns\":{\"2834ba67-2809-442b-b80b-4b17d3a67d43\":{\"label\":\" \",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"2834ba67-2809-442b-b80b-4b17d3a67d43\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":11,\"i\":\"41131702-4832-4ca2-a24c-2418181fa4bb\"},\"panelIndex\":\"41131702-4832-4ca2-a24c-2418181fa4bb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":false,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar\",\"layers\":[{\"layerId\":\"0600494b-6f03-450b-8dab-981005aedf32\",\"accessors\":[\"34e0e2cc-aab4-4581-9bc4-aba527024007\"],\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"0f00561d-d6d7-46b2-af59-4ea225a9893a\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0600494b-6f03-450b-8dab-981005aedf32\":{\"columns\":{\"0f00561d-d6d7-46b2-af59-4ea225a9893a\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"34e0e2cc-aab4-4581-9bc4-aba527024007\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"0f00561d-d6d7-46b2-af59-4ea225a9893a\",\"34e0e2cc-aab4-4581-9bc4-aba527024007\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Log Count Over Time\",\"panelRefName\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":8,\"h\":15,\"i\":\"126f7572-997b-441a-a124-a342a75325d5\"},\"panelIndex\":\"126f7572-997b-441a-a124-a342a75325d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea\"}],\"state\":{\"visualization\":{\"layerId\":\"3b6026b4-9c36-4fbc-9f90-bd5580303bea\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\"},{\"columnId\":\"ff0a89b4-427d-4739-bb83-86794a1f4289\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b6026b4-9c36-4fbc-9f90-bd5580303bea\":{\"columns\":{\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\":{\"label\":\"user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ff0a89b4-427d-4739-bb83-86794a1f4289\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"ff0a89b4-427d-4739-bb83-86794a1f4289\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\",\"ff0a89b4-427d-4739-bb83-86794a1f4289\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Users\",\"panelRefName\":\"panel_126f7572-997b-441a-a124-a342a75325d5\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":11,\"w\":16,\"h\":15,\"i\":\"146912f3-f4f8-4cc3-9226-6f516dd3c3da\"},\"panelIndex\":\"146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103\"}],\"state\":{\"visualization\":{\"shape\":\"treemap\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"layers\":[{\"layerId\":\"9643f560-7a46-408c-b61d-ed2a87fc6103\",\"groups\":[\"305b2f21-9981-40d5-a79b-f7a78eea89b4\"],\"metric\":\"3520723b-f0f3-4845-975c-e97380d8124b\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9643f560-7a46-408c-b61d-ed2a87fc6103\":{\"columns\":{\"305b2f21-9981-40d5-a79b-f7a78eea89b4\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3520723b-f0f3-4845-975c-e97380d8124b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"3520723b-f0f3-4845-975c-e97380d8124b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"305b2f21-9981-40d5-a79b-f7a78eea89b4\",\"3520723b-f0f3-4845-975c-e97380d8124b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[]}},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Processes\",\"panelRefName\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":11,\"w\":24,\"h\":15,\"i\":\"7a533f92-16c8-4f34-b31b-8055cce33284\"},\"panelIndex\":\"7a533f92-16c8-4f34-b31b-8055cce33284\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"panelRefName\":\"panel_7a533f92-16c8-4f34-b31b-8055cce33284\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":13,\"i\":\"37330ea4-1070-465d-8356-97f438a273f9\"},\"panelIndex\":\"37330ea4-1070-465d-8356-97f438a273f9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7\"}],\"state\":{\"visualization\":{\"layerId\":\"46832f84-f86b-4914-a3ac-aaeda9f09cf7\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"77069155-4e9a-4727-b888-648fed60258e\",\"isTransposed\":false},{\"columnId\":\"e7878efe-2181-449d-afd3-771296665829\",\"isTransposed\":false,\"alignment\":\"center\"},{\"isTransposed\":false,\"columnId\":\"738c056c-c4eb-4855-a690-90fa5b9e23f8\"},{\"isTransposed\":false,\"columnId\":\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\"},{\"isTransposed\":false,\"columnId\":\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\"},{\"isTransposed\":false,\"columnId\":\"6de07e81-5ee7-4885-af47-26b401667757\"},{\"isTransposed\":false,\"columnId\":\"895abdf3-8c99-4473-a904-b379d478aae1\"},{\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\",\"isTransposed\":false,\"hidden\":true}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"46832f84-f86b-4914-a3ac-aaeda9f09cf7\":{\"columns\":{\"77069155-4e9a-4727-b888-648fed60258e\":{\"label\":\"event.id (click on + to go to Endgame)\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"e7878efe-2181-449d-afd3-771296665829\":{\"label\":\"Severity\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"event.severity\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"738c056c-c4eb-4855-a690-90fa5b9e23f8\":{\"label\":\"Category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.category\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\":{\"label\":\"process.command_line\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"6de07e81-5ee7-4885-af47-26b401667757\":{\"label\":\"file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"895abdf3-8c99-4473-a904-b379d478aae1\":{\"label\":\"host.domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"e30b3573-c58d-4b82-853d-70c1d090d641\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"77069155-4e9a-4727-b888-648fed60258e\",\"e7878efe-2181-449d-afd3-771296665829\",\"738c056c-c4eb-4855-a690-90fa5b9e23f8\",\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\",\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\",\"6de07e81-5ee7-4885-af47-26b401667757\",\"895abdf3-8c99-4473-a904-b379d478aae1\",\"e30b3573-c58d-4b82-853d-70c1d090d641\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"28bd4c58-580b-4d1c-b65e-3ddef0fee644\",\"triggers\":[\"VALUE_CLICK_TRIGGER\"],\"action\":{\"factoryId\":\"URL_DRILLDOWN\",\"name\":\"Open event in Endgame\",\"config\":{\"url\":{\"template\":\"https://ENDGAMEHOST/alerts/{{event.value}}\"},\"openInNewTab\":true,\"encodeUrl\":false}}}]}},\"hidePanelTitles\":false,\"type\":\"lens\"},\"title\":\"Endgame - Alerts Event\",\"panelRefName\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":18,\"i\":\"b3f00dae-22f1-4455-a672-087870874671\"},\"panelIndex\":\"b3f00dae-22f1-4455-a672-087870874671\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b3f00dae-22f1-4455-a672-087870874671\"}]","timeRestore":false,"title":"Endgame - Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"0c8e61c0-67fc-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"3aa898cc-eaa4-47ea-962f-fd5be8255144:panel_3aa898cc-eaa4-47ea-962f-fd5be8255144","type":"visualization"},{"id":"914d4890-6e46-11ec-864c-8b5450f97635","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4","type":"lens"},{"id":"914d4890-6e46-11ec-864c-8b5450f97635","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4","type":"lens"},{"id":"914d4890-6e46-11ec-864c-8b5450f97635","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4","type":"lens"},{"id":"914d4890-6e46-11ec-864c-8b5450f97635","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4","type":"lens"},{"id":"endgame-*","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"1ab268d3-b117-4d65-b568-d53af35bebb4:indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b","type":"index-pattern"},{"id":"d94cae10-6e46-11ec-864c-8b5450f97635","name":"41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb","type":"lens"},{"id":"d94cae10-6e46-11ec-864c-8b5450f97635","name":"41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb","type":"lens"},{"id":"d94cae10-6e46-11ec-864c-8b5450f97635","name":"41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb","type":"lens"},{"id":"d94cae10-6e46-11ec-864c-8b5450f97635","name":"41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb","type":"lens"},{"id":"endgame-*","name":"41131702-4832-4ca2-a24c-2418181fa4bb:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"41131702-4832-4ca2-a24c-2418181fa4bb:indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32","type":"index-pattern"},{"id":"f376b820-6e47-11ec-864c-8b5450f97635","name":"126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5","type":"lens"},{"id":"f376b820-6e47-11ec-864c-8b5450f97635","name":"126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5","type":"lens"},{"id":"f376b820-6e47-11ec-864c-8b5450f97635","name":"126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5","type":"lens"},{"id":"f376b820-6e47-11ec-864c-8b5450f97635","name":"126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5","type":"lens"},{"id":"endgame-*","name":"126f7572-997b-441a-a124-a342a75325d5:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"126f7572-997b-441a-a124-a342a75325d5:indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea","type":"index-pattern"},{"id":"0406add0-6e48-11ec-864c-8b5450f97635","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da","type":"lens"},{"id":"0406add0-6e48-11ec-864c-8b5450f97635","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da","type":"lens"},{"id":"0406add0-6e48-11ec-864c-8b5450f97635","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da","type":"lens"},{"id":"0406add0-6e48-11ec-864c-8b5450f97635","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da","type":"lens"},{"id":"endgame-*","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"146912f3-f4f8-4cc3-9226-6f516dd3c3da:indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103","type":"index-pattern"},{"id":"1fd82420-6e3a-11ec-864c-8b5450f97635","name":"7a533f92-16c8-4f34-b31b-8055cce33284:panel_7a533f92-16c8-4f34-b31b-8055cce33284","type":"lens"},{"id":"ca0f3e20-6e48-11ec-864c-8b5450f97635","name":"37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9","type":"lens"},{"id":"ca0f3e20-6e48-11ec-864c-8b5450f97635","name":"37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9","type":"lens"},{"id":"ca0f3e20-6e48-11ec-864c-8b5450f97635","name":"37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9","type":"lens"},{"id":"ca0f3e20-6e48-11ec-864c-8b5450f97635","name":"37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9","type":"lens"},{"id":"endgame-*","name":"37330ea4-1070-465d-8356-97f438a273f9:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"37330ea4-1070-465d-8356-97f438a273f9:indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7","type":"index-pattern"},{"id":"3ab5c280-6f06-11ec-864c-8b5450f97635","name":"b3f00dae-22f1-4455-a672-087870874671:panel_b3f00dae-22f1-4455-a672-087870874671","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,320],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,322],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzcyLDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Sysmon","version":1},"coreMigrationVersion":"7.16.2","id":"6281da80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,324],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Sysmon Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Sysmon Datasets\"}"},"coreMigrationVersion":"7.16.2","id":"0caa7df0-c781-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"6281da80-c780-11ea-bebb-37c5ab5894ea","name":"search_0","type":"search"}],"sort":[1643385898421,326],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc0LDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Connections","version":1},"coreMigrationVersion":"7.16.2","id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,328],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"7.16.2","id":"34721460-6ebc-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,330],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,332],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"},"coreMigrationVersion":"7.16.2","id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,334],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Connections - State (Desc)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state_description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Connections - State (Desc)\"}"},"coreMigrationVersion":"7.16.2","id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,336],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Client Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"},"coreMigrationVersion":"7.16.2","id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,338],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"},"coreMigrationVersion":"7.16.2","id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,340],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - History","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"},"coreMigrationVersion":"7.16.2","id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,342],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzgyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\"},\"panelIndex\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":27,\"w\":9,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":27,\"w\":9,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":37,\"y\":27,\"w\":11,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"a03bb16a-9d36-4cad-91a3-256b29489fd7\"},\"panelIndex\":\"a03bb16a-9d36-4cad-91a3-256b29489fd7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Connections","version":1},"coreMigrationVersion":"7.16.2","id":"0cc628b0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"34721460-6ebc-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"c9121690-6ea0-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"23b65290-6ea2-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"},{"id":"98f6e9d0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"70565ec0-6ea1-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"},{"id":"5414ad60-6ea2-11ea-9266-1fd14ca6af34","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"sort":[1643385898421,355],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category.keyword : \\\"process\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Event.Cat:Process Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Event.Cat:Process Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}}}"},"coreMigrationVersion":"7.16.2","id":"0d0c0750-6348-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,358],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg0LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Modbus - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,360],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,362],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg2LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Weird - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,364],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"},"coreMigrationVersion":"7.16.2","id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,366],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg4LDE1XQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,369],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,371],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzkwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Alert Level (Pie Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"},"coreMigrationVersion":"7.16.2","id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,373],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG4pcDxQT5EBNmq3pi","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,375],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Event Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,377],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - User to Escalated User (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,379],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Command (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,381],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"OSSEC Alerts - Process and Username (Data Table)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"coreMigrationVersion":"7.16.2","id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,383],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - OSSEC Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"0de7a390-3644-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"4fa0e530-3644-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"69d98570-398b-11e7-84f8-a1f7cef50fcb","name":"panel_2","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_4","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"1de31b40-4a42-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"},{"id":"9ff34f60-4a42-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"447bd2f0-4a43-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"sort":[1643385898421,393],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk3LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SNMP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"b12150a0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,395],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,397],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzNzk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Alert Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Playbook](/kibana/app/dashboards#/view/f449f0a0-c77c-11ea-bebb-37c5ab5894ea) \\n[Suricata](/kibana/app/dashboards#/view/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/dashboards#/view/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/dashboards#/view/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Alert Data\"}"},"coreMigrationVersion":"7.16.2","id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,398],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODAwLDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,400],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"coreMigrationVersion":"7.16.2","id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,402],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"7.16.2","id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,404],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODAzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Rule - Name\"}"},"coreMigrationVersion":"7.16.2","id":"508fb520-72af-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,406],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Severity","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.severity_label.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - Rule - Severity\"}"},"coreMigrationVersion":"7.16.2","id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,408],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Rule - Category","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,410],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Destination Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,412],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Low & Medium Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":1,\"lt\":3},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"range\":{\"event.severity\":{\"gte\":1,\"lt\":3}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"High & Critical Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":3,\"lt\":5},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"range\":{\"event.severity\":{\"gte\":3,\"lt\":5}}}]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\"},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":0,\"w\":13,\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\"},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\"},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":29,\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\"},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\"},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\"},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":27,\"w\":10,\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\"},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":27,\"w\":10,\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\"},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":27,\"w\":9,\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\"},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"a801f4a1-b678-47f2-9602-9c46e65533ca\"},\"panelIndex\":\"a801f4a1-b678-47f2-9602-9c46e65533ca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"0e4af1d0-72ae-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"931cb6f0-72ae-11ea-8dd2-9d8795a1200b","name":"panel_1","type":"visualization"},{"id":"b419b100-72ae-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,425],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA4LDE1XQ=="} -{"attributes":{"columns":["event_type","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Sysmon - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,427],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,429],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,431],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODExLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Logs","version":1},"coreMigrationVersion":"7.16.2","id":"aa05e920-3433-11e7-8867-29a39c0f86b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,433],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODEyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors/Devices - Total Number of Logs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"},"coreMigrationVersion":"7.16.2","id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,435],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Direction","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"},"coreMigrationVersion":"7.16.2","id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,437],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE0LDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","message_types","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DHCP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,439],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1055ada0-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,441],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9629c970-29fd-421c-a46a-0bf72171818e":{"columnOrder":["398df44e-6553-4353-b8eb-a2d6c9f83dac"],"columns":{"398df44e-6553-4353-b8eb-a2d6c9f83dac":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"registry\" "},"visualization":{"accessor":"398df44e-6553-4353-b8eb-a2d6c9f83dac","layerId":"9629c970-29fd-421c-a46a-0bf72171818e","layerType":"data"}},"title":"Endgame - All Event.Cat:Registry Logs","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"10af1a20-6cc9-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9629c970-29fd-421c-a46a-0bf72171818e","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,445],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE3LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DCE/RPC - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,447],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,449],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODE5LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RADIUS - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"75545310-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,451],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODIwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,453],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,455],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Logstash - Processing Performance","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,457],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODIzLDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Errors","version":1},"coreMigrationVersion":"7.16.2","id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,459],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Logstash - Error Type (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"search_0","type":"search"}],"sort":[1643385898421,461],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Avg Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHIynExQT5EBNmq49q","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,463],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Median Processing TIme","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHJY1BxQT5EBNmq5Ay","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,465],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Max Processing Time","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHJpuBxQT5EBNmq5Cr","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,467],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Logstash - Error Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHKEF2xQT5EBNmq5FA","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,469],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors/Devices and Services","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,471],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODMwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Stats","version":1},"coreMigrationVersion":"7.16.2","id":"130017f0-46ce-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"f86bc870-46ce-11e7-946f-1bfb1be7c36b","name":"panel_0","type":"visualization"},{"id":"0f25aac0-3434-11e7-8867-29a39c0f86b2","name":"panel_1","type":"visualization"},{"id":"3a273780-46d0-11e7-946f-1bfb1be7c36b","name":"panel_2","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_3","type":"visualization"},{"id":"ef487fd0-46cf-11e7-ba56-317a6969f55c","name":"panel_4","type":"search"},{"id":"AWDHIynExQT5EBNmq49q","name":"panel_5","type":"visualization"},{"id":"AWDHJY1BxQT5EBNmq5Ay","name":"panel_6","type":"visualization"},{"id":"AWDHJpuBxQT5EBNmq5Cr","name":"panel_7","type":"visualization"},{"id":"AWDHKEF2xQT5EBNmq5FA","name":"panel_8","type":"visualization"},{"id":"d8214de0-4a3a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"sort":[1643385898421,482],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODMxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Sum of Total Bytes ( Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1342e630-4632-11e7-9903-85f789353078","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,484],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODMyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9f5d45b0-a078-4f86-b1f0-8e375d4ad641":{"columnOrder":["b67d303e-9a64-468a-9297-60ee2bb030cf","8fdfcdad-b05c-410d-a776-3e8ac8a74dc2"],"columns":{"8fdfcdad-b05c-410d-a776-3e8ac8a74dc2":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"b67d303e-9a64-468a-9297-60ee2bb030cf":{"dataType":"string","isBucketed":true,"label":"Top values of endgame.event_subtype_full","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8fdfcdad-b05c-410d-a776-3e8ac8a74dc2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":6},"scale":"ordinal","sourceField":"endgame.event_subtype_full"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["b67d303e-9a64-468a-9297-60ee2bb030cf"],"layerId":"9f5d45b0-a078-4f86-b1f0-8e375d4ad641","layerType":"data","legendDisplay":"show","metric":"8fdfcdad-b05c-410d-a776-3e8ac8a74dc2","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - Event Category Pie Chart","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"137cda90-6a20-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9f5d45b0-a078-4f86-b1f0-8e375d4ad641","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,488],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response Code Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - DNS - Response Code Name\"}"},"coreMigrationVersion":"7.16.2","id":"13cda410-c770-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,490],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"},"coreMigrationVersion":"7.16.2","id":"13ed0810-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,492],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Connection State","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"13fe29c0-3b17-11e7-b871-5f76306b9694","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,494],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM2LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"RFB - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"8ba53710-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,496],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Exclusive Session (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"14274040-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,498],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agents","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"coreMigrationVersion":"7.16.2","id":"14ed9540-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,500],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODM5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Length (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"150f7280-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,502],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - Description","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1563f380-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,504],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQxLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMB - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"19849f30-3aab-11e7-8b17-0d8709b02c80","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,506],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,508],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Server Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"15fa3b30-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,510],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"178209e0-6e1b-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,512],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"19dfd180-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,514],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ2LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"NIDS - Alerts","version":1},"coreMigrationVersion":"7.16.2","id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,516],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Alert Title","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,518],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Source IP Address","uiStateJSON":"{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1b837b00-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,520],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Total Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,522],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,524],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODUxLDE1XQ=="} -{"attributes":{"columns":["entry","entry_location","image_path","hostname","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Autoruns - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"dd700830-6d69-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,526],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Profile","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,528],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,530],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Alert Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,532],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Rule","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,534],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source.ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,536],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination.ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,538],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"ElastAlert - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,540],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODU5LDE1XQ=="} -{"attributes":{"columns":["rule_name","matches","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"ElastAlert","version":1},"coreMigrationVersion":"7.16.2","id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,542],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODYwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Elastalert - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG7DVRxQT5EBNmq3zM","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:elastalert_status*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,544],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODYxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - ElastAlert","version":1},"coreMigrationVersion":"7.16.2","id":"1d98d620-7dce-11e7-846a-150cdcaf3374","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"969e4820-7dce-11e7-a1a2-3be6827d22ce","name":"panel_1","type":"visualization"},{"id":"f7998d60-7dce-11e7-a1a2-3be6827d22ce","name":"panel_2","type":"visualization"},{"id":"5e1dc100-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_3","type":"visualization"},{"id":"8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_4","type":"visualization"},{"id":"a26faee0-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_5","type":"visualization"},{"id":"ce25b750-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_6","type":"visualization"},{"id":"e8840d40-7dcf-11e7-a1a2-3be6827d22ce","name":"panel_7","type":"search"},{"id":"AWDG7DVRxQT5EBNmq3zM","name":"panel_8","type":"visualization"}],"sort":[1643385898421,554],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,556],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"1ef5c230-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,558],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Command/Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"},"coreMigrationVersion":"7.16.2","id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,560],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY1LDE1XQ=="} -{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame","version":1},"coreMigrationVersion":"7.16.2","id":"20c85b70-53aa-11ec-b3ef-6bcc33056a36","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,562],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,564],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"coreMigrationVersion":"7.16.2","id":"214793c0-75b9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,566],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,568],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Response Code (Name)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"},"coreMigrationVersion":"7.16.2","id":"22f7de30-4949-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,570],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODcwLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"7d4edcbb-fca9-47d9-93df-acba6aaf6f58":{"columnOrder":["42bc4d8f-a628-4d50-96ac-b186a03aee07","0601e3c4-200d-4b97-adec-7f6a16209269","92a4b279-4a18-4513-a75c-52dcf79a6801"],"columns":{"0601e3c4-200d-4b97-adec-7f6a16209269":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"42bc4d8f-a628-4d50-96ac-b186a03aee07":{"dataType":"string","isBucketed":true,"label":"Top values of event.action","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"92a4b279-4a18-4513-a75c-52dcf79a6801","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"event.action"},"92a4b279-4a18-4513-a75c-52dcf79a6801":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["92a4b279-4a18-4513-a75c-52dcf79a6801"],"layerId":"7d4edcbb-fca9-47d9-93df-acba6aaf6f58","layerType":"data","seriesType":"bar_stacked","splitAccessor":"42bc4d8f-a628-4d50-96ac-b186a03aee07","xAccessor":"0601e3c4-200d-4b97-adec-7f6a16209269"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Network Category Graph","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"22ffcc70-6322-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,575],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODcxLDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","resp_fuids","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"HTTP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"fad7d170-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,577],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"37f19e40-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,579],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Sites","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8ba31820-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,581],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Sites Hosting EXEs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,583],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - URIs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,585],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,587],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d0f56da0-3648-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,589],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ae591c20-4164-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,591],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Referrer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,593],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - MIME Type (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"934fe550-6e08-11e7-9370-174c4785d3e1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,595],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Port (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75,\"filter\":true},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,597],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Destination Country (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,599],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"HTTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG97t7xQT5EBNmq4E1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,601],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"HTTP - Status and Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"},"coreMigrationVersion":"7.16.2","id":"66faa650-4c99-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,603],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"z16.04 - Bro - HTTP","version":1},"coreMigrationVersion":"7.16.2","id":"230134a0-34c6-11e7-8360-0b86c90983fd","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"37f19e40-34c6-11e7-8360-0b86c90983fd","name":"panel_1","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_2","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_3","type":"visualization"},{"id":"aa7abb00-34e3-11e7-9669-7f1d3242b798","name":"panel_4","type":"visualization"},{"id":"fad7d170-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_6","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"ae591c20-4164-11e7-9850-b78558d0ac17","name":"panel_8","type":"visualization"},{"id":"2a7c21d0-4165-11e7-9850-b78558d0ac17","name":"panel_9","type":"visualization"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_10","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_11","type":"visualization"},{"id":"e41a0bd0-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"AWDG97t7xQT5EBNmq4E1","name":"panel_13","type":"visualization"},{"id":"66faa650-4c99-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"sort":[1643385898421,619],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Validation Status","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,621],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Connections - Bytes and Duration","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/dashboards#/view/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/dashboards#/view/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/dashboards#/view/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/dashboards#/view/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/dashboards#/view/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"},"coreMigrationVersion":"7.16.2","id":"25ce6eb0-463b-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,622],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg4LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Tunnels - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"d26d5510-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,624],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,626],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODkwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,628],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODkxLDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Syslog (Bro) - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,630],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category.keyword : \\\"process\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Event.Cat:Process Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Event.Cat:Process Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"coreMigrationVersion":"7.16.2","id":"269cd740-634c-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,633],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"coreMigrationVersion":"7.16.2","id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,635],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Bro - Connections - Service By Destination Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"},"coreMigrationVersion":"7.16.2","id":"277f3250-4161-11e7-8493-51634b0a4565","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,637],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RADIUS - Result","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"},"coreMigrationVersion":"7.16.2","id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,639],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e1907430-35b6-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,641],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Reply Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"adcd38e0-3679-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,643],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Reply Code","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a0cb0860-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,645],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzODk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"cf9e5660-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,647],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTAwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f1d3d070-367a-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,649],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Username","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f9904390-3bff-11e7-be35-e7fc4052ff75","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,651],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,653],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTAzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG9sT_xQT5EBNmq4DI","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,655],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"FTP - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,657],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Bro - FTP","version":1},"coreMigrationVersion":"7.16.2","id":"27f3b380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"06f21d60-35b6-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"e1907430-35b6-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"adcd38e0-3679-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"a0cb0860-367a-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"cf9e5660-367a-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"f1d3d070-367a-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"f9904390-3bff-11e7-be35-e7fc4052ff75","name":"panel_7","type":"visualization"},{"id":"f21cb5f0-342d-11e7-9e93-53b62e1857b2","name":"panel_8","type":"search"},{"id":"eead8540-6e14-11e7-8624-1fb07dd76c6a","name":"panel_9","type":"visualization"},{"id":"AWDG9sT_xQT5EBNmq4DI","name":"panel_10","type":"visualization"},{"id":"d5681260-4c8c-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"sort":[1643385898421,670],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA2LDE1XQ=="} -{"attributes":{"columns":["alert_level","classification","description"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,672],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"sort":[1643385898421,674],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.machine.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Machine\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Machine\"}"},"coreMigrationVersion":"7.16.2","id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,676],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Key Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - X.509 - Key Type (Donut)\"}"},"coreMigrationVersion":"7.16.2","id":"2895c940-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,678],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTEwLDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - HTTP","version":1},"coreMigrationVersion":"7.16.2","id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,680],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTExLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Virtual Host","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"},"coreMigrationVersion":"7.16.2","id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,682],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTEyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top Source IPs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,684],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTEzLDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","request_type","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Kerberos - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"452daa10-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,686],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,688],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"coreMigrationVersion":"7.16.2","id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,690],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE2LDE1XQ=="} -{"attributes":{"columns":["file_ip","destination_ip","source","uid","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Files - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,692],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,694],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Target Filename","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"29611940-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,696],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTE5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"296823d0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,698],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTIwLDE1XQ=="} -{"attributes":{"columns":["action","reason","source_ip","source_port","destination_ip","destination_port","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Firewall - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"37c16940-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,700],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Action/Reason (Vertical Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,702],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,704],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTIzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2af5f980-96e2-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,706],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Client/Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,708],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Registry Events","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Registry Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.hostname\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":7,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"hostname\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"registry.key\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"registry key\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"registry.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"value\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"coreMigrationVersion":"7.16.2","id":"2cb579d0-64bd-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,711],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6571ee10-3584-11e7-a588-05992195c551","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,713],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Files By Size (Bytes)","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,715],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,717],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - MIME Type (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,719],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTMwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"FIles - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"aa021c90-3678-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,721],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTMxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Files - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG9goqxQT5EBNmq4BP","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,723],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTMyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Files - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"},"coreMigrationVersion":"7.16.2","id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,725],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTMzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - Files","version":1},"coreMigrationVersion":"7.16.2","id":"2d315d80-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"6571ee10-3584-11e7-a588-05992195c551","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"e929e8a0-342d-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"cb3f3850-3585-11e7-8f28-2b291d0f6d86","name":"panel_3","type":"visualization"},{"id":"295d7ed0-3656-11e7-baa7-b7de4ee40605","name":"panel_4","type":"visualization"},{"id":"67ab33d0-3656-11e7-baa7-b7de4ee40605","name":"panel_5","type":"visualization"},{"id":"8c57f3d0-3674-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"aa021c90-3678-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"AWDG9goqxQT5EBNmq4BP","name":"panel_8","type":"visualization"},{"id":"dff32860-4c8b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"sort":[1643385898421,736],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Request Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,738],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,740],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Content Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2db47070-3754-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,742],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,744],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - SAN DNS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"},"coreMigrationVersion":"7.16.2","id":"47f40770-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,746],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTM5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X.509 - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,748],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - X509 - Key Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - X509 - Key Type\"}"},"coreMigrationVersion":"7.16.2","id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,750],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":30,\"h\":22,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":22,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":30,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":30,\"w\":18,\"h\":21,\"i\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\"},\"panelIndex\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":51,\"w\":48,\"h\":29,\"i\":\"3fa098f8-4a37-410e-a8f5-fd3667865c3f\"},\"panelIndex\":\"3fa098f8-4a37-410e-a8f5-fd3667865c3f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - X509","version":1},"coreMigrationVersion":"7.16.2","id":"2e0865f0-75ee-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"e3fb39a0-75ee-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"47f40770-75ef-11ea-9565-7315f4ee5cac","name":"panel_4","type":"visualization"},{"id":"b7334c00-75ee-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8d4a9990-c77c-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,759],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,761],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Entry","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,763],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"d3d228ff-cc82-48f3-948f-6dad9c1d9208":{"columnOrder":["fb32a3f2-725e-4068-abde-754d39d98a5c","0b079a50-9c2b-47f9-b075-b982490e923c","0b079a50-9c2b-47f9-b075-b982490e923cX0"],"columns":{"0b079a50-9c2b-47f9-b075-b982490e923c":{"dataType":"number","isBucketed":false,"label":"count()","operationType":"formula","params":{"formula":"count()","isFormulaBroken":false},"references":["0b079a50-9c2b-47f9-b075-b982490e923cX0"],"scale":"ratio"},"0b079a50-9c2b-47f9-b075-b982490e923cX0":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Part of count()","operationType":"count","scale":"ratio","sourceField":"Records"},"fb32a3f2-725e-4068-abde-754d39d98a5c":{"dataType":"string","isBucketed":true,"label":"Top values of event.type","operationType":"terms","params":{"missingBucket":false,"orderBy":{"fallback":true,"type":"alphabetical"},"orderDirection":"asc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.type"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["fb32a3f2-725e-4068-abde-754d39d98a5c"],"layerId":"d3d228ff-cc82-48f3-948f-6dad9c1d9208","layerType":"data","legendDisplay":"show","metric":"0b079a50-9c2b-47f9-b075-b982490e923c","nestedLegend":false,"numberDisplay":"percent"}],"palette":{"name":"default","type":"palette"},"shape":"donut"}},"title":"Endgame - Network Type Chart","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"2f20b2c0-6323-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-d3d228ff-cc82-48f3-948f-6dad9c1d9208","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,768],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"sort":[1643385898421,770],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"coreMigrationVersion":"7.16.2","id":"2f7966b0-53a4-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,773],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Analyzer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"},"coreMigrationVersion":"7.16.2","id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,775],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ4LDE1XQ=="} -{"attributes":{"columns":["source_ip","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNP3 - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"c2587840-342d-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,777],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"593f1850-3581-11e7-98ef-19df58fe538b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,779],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,781],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTUxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,783],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,785],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNP3 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG9DWvxQT5EBNmq3-m","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,787],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Request","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"},"coreMigrationVersion":"7.16.2","id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,789],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNP3 - Function Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"},"coreMigrationVersion":"7.16.2","id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,791],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - Bro - DNP3","version":1},"coreMigrationVersion":"7.16.2","id":"2fdf5bf0-3581-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"593f1850-3581-11e7-98ef-19df58fe538b","name":"panel_1","type":"visualization"},{"id":"dde8c8a0-3719-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"ef7546c0-3719-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"c2587840-342d-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4898f230-6e0e-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG9DWvxQT5EBNmq3-m","name":"panel_6","type":"visualization"},{"id":"857c6760-4a4d-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"bd5435f0-4a4d-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"sort":[1643385898421,801],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Intel - Seen (Donut Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3013af40-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,803],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Authentication Result","uiStateJSON":"{\"vis\":{\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,805],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File/Path Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"306c4330-4175-11e7-a0f7-47f4c03e3306","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,807],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTYwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3072c750-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,809],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTYxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"title":"Security Onion - Navigation","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/dashboards#/view/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/dashboards#/view/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/dashboards#/view/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/dashboards#/view/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"},"coreMigrationVersion":"7.16.2","id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,810],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTYyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Indicator","version":1},"coreMigrationVersion":"7.16.2","id":"30d0ac90-729f-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"d9eb5b30-6ea9-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,819],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,821],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"312cd460-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,823],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"coreMigrationVersion":"7.16.2","id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,825],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"317f8410-3655-11e7-baa7-b7de4ee40605","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,827],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,829],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"title":"Security Onion - Host Data","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/dashboards#/view/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Sysmon](/kibana/app/dashboards#/view/32f01e80-c780-11ea-bebb-37c5ab5894ea) \\n[Wazuh](/kibana/app/dashboards#/view/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Host Data\"}"},"coreMigrationVersion":"7.16.2","id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,830],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Username\"}"},"coreMigrationVersion":"7.16.2","id":"767c89f0-af4c-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,832],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTcwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process CLI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"},"coreMigrationVersion":"7.16.2","id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,834],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTcxLDE1XQ=="} -{"attributes":{"columns":["host.name","event.module","event.dataset","process.command_line","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:host \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[],"title":"Security Onion - Host Logs","version":1},"coreMigrationVersion":"7.16.2","id":"a866be10-0e45-11eb-a255-e1e8e85e3571","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,836],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTcyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":16,\"i\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\"},\"panelIndex\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":12,\"y\":7,\"w\":12,\"h\":16,\"i\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\"},\"panelIndex\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":7,\"w\":24,\"h\":16,\"i\":\"1d246882-3945-4a7e-b602-15ccf3f09310\"},\"panelIndex\":\"1d246882-3945-4a7e-b602-15ccf3f09310\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"48739737-ef82-4533-9a8e-f9fe0f615b05\"},\"panelIndex\":\"48739737-ef82-4533-9a8e-f9fe0f615b05\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Security Onion - Sysmon","version":1},"coreMigrationVersion":"7.16.2","id":"32f01e80-c780-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_4","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"a866be10-0e45-11eb-a255-e1e8e85e3571","name":"panel_6","type":"search"}],"sort":[1643385898421,844],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Query Type Name (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Query Type Name (Donut)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dns.query.type_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"},"coreMigrationVersion":"7.16.2","id":"336dbde0-88aa-11eb-9841-852c8cc8a2e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,846],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Action (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"},"coreMigrationVersion":"7.16.2","id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,848],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc1LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"IRC - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"344c6010-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,850],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Severity (Horizontal Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,852],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - Share Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"34762420-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,854],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0":{"columnOrder":["b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e"],"columns":{"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":"event.category.keyword : \"file\""},"visualization":{"accessor":"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e","layerId":"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0","layerType":"data"}},"title":"Endgame - File All Logs","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"3505d400-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,859],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,861],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - DHCP - Message Type\"}"},"coreMigrationVersion":"7.16.2","id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,863],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Changes by Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"search_0","type":"search"}],"sort":[1643385898421,865],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"3753e110-365a-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,867],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - IRC - Command Info","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"},"coreMigrationVersion":"7.16.2","id":"db279540-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,869],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - User Command Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,871],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\"},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\"},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\"},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\"},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":9,\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\"},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":8,\"w\":15,\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\"},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\"},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":47,\"h\":29,\"i\":\"f5bae4c6-d940-4a76-ba9c-3d5c5ab6849e\"},\"panelIndex\":\"f5bae4c6-d940-4a76-ba9c-3d5c5ab6849e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - IRC","version":1},"coreMigrationVersion":"7.16.2","id":"38523560-75ba-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db279540-75bb-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"f7ee5fb0-75bb-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,880],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"d1d0219a-3c5d-4c24-943c-dafe00421b26":{"columnOrder":["e3d97be9-0be4-484c-96d1-4a0a448d0cc5","caaf881d-e6f4-42fd-a4a1-4f31bac99ae1","01d1bced-438c-4d43-8656-c0ccc397b73a","32e4e9b9-39d0-4f61-827b-d04b53c6963d","7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2"],"columns":{"01d1bced-438c-4d43-8656-c0ccc397b73a":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"process.name"},"32e4e9b9-39d0-4f61-827b-d04b53c6963d":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"user.name"},"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Total network.bytes","operationType":"sum","scale":"ratio","sourceField":"network.bytes"},"caaf881d-e6f4-42fd-a4a1-4f31bac99ae1":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"destination.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"destination.ip"},"e3d97be9-0be4-484c-96d1-4a0a448d0cc5":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"source.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"source.ip"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"01d1bced-438c-4d43-8656-c0ccc397b73a","isTransposed":false},{"columnId":"32e4e9b9-39d0-4f61-827b-d04b53c6963d","isTransposed":false},{"columnId":"7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2","isTransposed":false},{"columnId":"e3d97be9-0be4-484c-96d1-4a0a448d0cc5","isTransposed":false},{"columnId":"caaf881d-e6f4-42fd-a4a1-4f31bac99ae1","isTransposed":false}],"layerId":"d1d0219a-3c5d-4c24-943c-dafe00421b26","layerType":"data"}},"title":"Endgame - Network Traffic","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"38c95ae0-6e4d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-d1d0219a-3c5d-4c24-943c-dafe00421b26","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,885],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary - Drilldown","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,887],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg4LDE1XQ=="} -{"attributes":{"columns":["message"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"OSSEC - Archive","version":1},"coreMigrationVersion":"7.16.2","id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,889],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"OSSEC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHHXl3xQT5EBNmq42U","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"search_0","type":"search"}],"sort":[1643385898421,891],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTkwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"z16.04 - OSSEC","version":1},"coreMigrationVersion":"7.16.2","id":"3a457d70-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2817b300-3643-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"efba60c0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_2","type":"search"},{"id":"ebf74e90-342f-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHHXl3xQT5EBNmq42U","name":"panel_4","type":"visualization"}],"sort":[1643385898421,897],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Log Count Over Time Stacked Bar Graph","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Log Count Over Time Stacked Bar Graph\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true}}"},"coreMigrationVersion":"7.16.2","id":"3ae34620-6258-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,900],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,902],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTkzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9643f560-7a46-408c-b61d-ed2a87fc6103":{"columnOrder":["305b2f21-9981-40d5-a79b-f7a78eea89b4","3520723b-f0f3-4845-975c-e97380d8124b"],"columns":{"305b2f21-9981-40d5-a79b-f7a78eea89b4":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3520723b-f0f3-4845-975c-e97380d8124b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"process.name"},"3520723b-f0f3-4845-975c-e97380d8124b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"layers":[{"categoryDisplay":"default","groups":["305b2f21-9981-40d5-a79b-f7a78eea89b4"],"layerId":"9643f560-7a46-408c-b61d-ed2a87fc6103","layerType":"data","legendDisplay":"default","metric":"3520723b-f0f3-4845-975c-e97380d8124b","nestedLegend":false,"numberDisplay":"percent"}],"palette":{"name":"kibana_palette","type":"palette"},"shape":"treemap"}},"title":"Endgame - Alerted Processes","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"3b3e2860-6cc1-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,906],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Hosts","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Hosts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"},"coreMigrationVersion":"7.16.2","id":"3b50b220-53ab-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,908],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Image","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,910],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Priority (Vertical bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"sort":[1643385898421,912],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,914],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,916],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzEzOTk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,918],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDAwLDE1XQ=="} -{"attributes":{"description":null,"state":{"datasourceStates":{"indexpattern":{"layers":{"ada16f03-98be-4005-a5de-c8d6ab2f41b0":{"columnOrder":["c6cd0d5c-dbcb-47e3-9849-af365d083036","b8110029-a497-4182-982f-dc8a78dc672d","ae6e4640-cf44-48dd-9d9d-8849ed9af262"],"columns":{"ae6e4640-cf44-48dd-9d9d-8849ed9af262":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"b8110029-a497-4182-982f-dc8a78dc672d":{"dataType":"string","isBucketed":true,"label":"Top values of event.module.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ae6e4640-cf44-48dd-9d9d-8849ed9af262","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"event.module.keyword"},"c6cd0d5c-dbcb-47e3-9849-af365d083036":{"dataType":"string","isBucketed":true,"label":"Top values of event.category.keyword","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ae6e4640-cf44-48dd-9d9d-8849ed9af262","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.category.keyword"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["c6cd0d5c-dbcb-47e3-9849-af365d083036","b8110029-a497-4182-982f-dc8a78dc672d"],"layerId":"ada16f03-98be-4005-a5de-c8d6ab2f41b0","layerType":"data","legendDisplay":"default","metric":"ae6e4640-cf44-48dd-9d9d-8849ed9af262","nestedLegend":true,"numberDisplay":"percent","percentDecimals":2}],"palette":{"name":"status","type":"palette"},"shape":"pie"}},"title":"Security Onion - Data Overview (Lens)","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"3e1a8260-8809-11eb-9841-852c8cc8a2e8","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"indexpattern-datasource-layer-ada16f03-98be-4005-a5de-c8d6ab2f41b0","type":"index-pattern"}],"sort":[1643385898421,921],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3e6037d0-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,923],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"3f040620-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,925],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDAzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,927],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Agent - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,929],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Source IP","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,931],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,933],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA3LDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"DNS - Domains with creation date < 3 months","version":1},"coreMigrationVersion":"7.16.2","id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,935],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Baby Domain Requests","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"search_0","type":"search"}],"sort":[1643385898421,937],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"},"coreMigrationVersion":"7.16.2","id":"424ace90-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,939],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDEwLDE1XQ=="} -{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"process\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"process\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - Process Search","version":1},"coreMigrationVersion":"7.16.2","id":"424d7a60-6f0b-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,942],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDExLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"10863c78-73fc-4739-88ea-b6e3419da4db":{"columnOrder":["e472c6a1-d786-43f7-95f0-df55a990e268","4e101a7c-04a5-4ab9-96c5-ef10fc92547b"],"columns":{"4e101a7c-04a5-4ab9-96c5-ef10fc92547b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e472c6a1-d786-43f7-95f0-df55a990e268":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["4e101a7c-04a5-4ab9-96c5-ef10fc92547b"],"layerId":"10863c78-73fc-4739-88ea-b6e3419da4db","layerType":"data","position":"top","seriesType":"line","showGridlines":false,"xAccessor":"e472c6a1-d786-43f7-95f0-df55a990e268"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"line","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - File Log Count Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"42a22c30-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,947],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDEyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"},"coreMigrationVersion":"7.16.2","id":"42b17660-4a47-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,949],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"sort":[1643385898421,951],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"sort":[1643385898421,953],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHKVLMxQT5EBNmq5HX","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"search_0","type":"search"}],"sort":[1643385898421,955],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"z16.04 - Syslog","version":1},"coreMigrationVersion":"7.16.2","id":"4323af90-76e5-11e7-ab14-e1a4c1bc11e0","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_1","type":"visualization"},{"id":"e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0","name":"panel_2","type":"visualization"},{"id":"0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_3","type":"visualization"},{"id":"3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0","name":"panel_4","type":"visualization"},{"id":"5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0","name":"panel_5","type":"search"},{"id":"AWDHKVLMxQT5EBNmq5HX","name":"panel_6","type":"visualization"}],"sort":[1643385898421,963],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Tunnels - Type (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,965],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,967],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDE5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Least Common HTTP Methods","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,969],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDIwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,971],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,973],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - UserAgent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,975],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDIzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,977],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"17d41692-eb81-4c13-aaa3-2a4bccc125df\"},\"panelIndex\":\"17d41692-eb81-4c13-aaa3-2a4bccc125df\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - HTTP","version":1},"coreMigrationVersion":"7.16.2","id":"44e9c820-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"6411e5b0-6eb2-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"30e97190-6eb6-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"51ad64d0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"c2f93f40-6ed7-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"088aad70-7377-11ea-a3da-cbdb4f8a90c0","name":"panel_7","type":"visualization"},{"id":"28bf2ef0-6eb7-11ea-9266-1fd14ca6af34","name":"panel_8","type":"visualization"},{"id":"f22e8660-6eb6-11ea-9266-1fd14ca6af34","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,989],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"},"coreMigrationVersion":"7.16.2","id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,991],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Category","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"},"coreMigrationVersion":"7.16.2","id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,993],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Query Class (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"},"coreMigrationVersion":"7.16.2","id":"45a652b0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,995],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI4LDE1XQ=="} -{"attributes":{"columns":["message","fuid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"PE - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"66288140-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,997],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - OS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,999],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDMwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"},"coreMigrationVersion":"7.16.2","id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1001],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDMxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1003],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDMyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1005],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1007],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1009],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1011],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Round Trip Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1013],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG8k4OxQT5EBNmq37a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1015],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DCE/RPC - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1017],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDM5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Bro - DCE/RPC","version":1},"coreMigrationVersion":"7.16.2","id":"46582d50-3af2-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"913c5b80-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"cbb67b00-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_2","type":"visualization"},{"id":"f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"10b8a610-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_4","type":"visualization"},{"id":"553acbb0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"6b7122d0-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"86107960-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"f275f490-3af3-11e7-a83b-b1b4da7d15f4","name":"panel_8","type":"visualization"},{"id":"AWDG8k4OxQT5EBNmq37a","name":"panel_9","type":"visualization"},{"id":"d979b0f0-4a45-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"42b17660-4a47-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"}],"sort":[1643385898421,1030],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"613de590-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1032],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a5571030-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1034],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1036],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6380b430-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1038],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - MIME Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"af614b80-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1040],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Matched","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c8540380-399c-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1042],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1044],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Intel - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG-Qf8xQT5EBNmq4G5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1046],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - Bro - Intel","version":1},"coreMigrationVersion":"7.16.2","id":"468022c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"361d0bd0-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"3013af40-399b-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"613de590-399b-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"a5571030-399b-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"ba2d3b10-399b-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"6380b430-399c-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"af614b80-399c-11e7-8472-0151e5b2b475","name":"panel_7","type":"visualization"},{"id":"c8540380-399c-11e7-8472-0151e5b2b475","name":"panel_8","type":"visualization"},{"id":"0d4e3a60-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"a5bcec80-6e15-11e7-8624-1fb07dd76c6a","name":"panel_10","type":"visualization"},{"id":"07622d60-6e16-11e7-8624-1fb07dd76c6a","name":"panel_11","type":"visualization"},{"id":"AWDG-Qf8xQT5EBNmq4G5","name":"panel_12","type":"visualization"}],"sort":[1643385898421,1060],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Category","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"482be9b0-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1062],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"coreMigrationVersion":"7.16.2","id":"48331f00-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1064],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDUxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"860e44c0-e06a-4d8a-9172-b542532df353":{"columnOrder":["55eacb06-199f-41eb-b6dc-b5b1407b7073","0c6f3897-05c7-4aa3-90e5-17f58946a3af","63defa8c-527b-4165-9fb9-4e564bd03695"],"columns":{"0c6f3897-05c7-4aa3-90e5-17f58946a3af":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"55eacb06-199f-41eb-b6dc-b5b1407b7073":{"dataType":"string","isBucketed":true,"label":"Top values of event.action","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"63defa8c-527b-4165-9fb9-4e564bd03695","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.action"},"63defa8c-527b-4165-9fb9-4e564bd03695":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["63defa8c-527b-4165-9fb9-4e564bd03695"],"layerId":"860e44c0-e06a-4d8a-9172-b542532df353","layerType":"data","position":"top","seriesType":"bar_stacked","showGridlines":false,"splitAccessor":"55eacb06-199f-41eb-b6dc-b5b1407b7073","xAccessor":"0c6f3897-05c7-4aa3-90e5-17f58946a3af"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - File Event Action","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1069],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDUyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"b12aced8-11a0-4a83-a7c5-129f142e8f04":{"columnOrder":["bc61b519-0caa-4bf7-bbe7-6077fb307d0a","f549d182-14e5-4395-b185-4cd192e4030c"],"columns":{"bc61b519-0caa-4bf7-bbe7-6077fb307d0a":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"f549d182-14e5-4395-b185-4cd192e4030c","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"user.name"},"f549d182-14e5-4395-b185-4cd192e4030c":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"bc61b519-0caa-4bf7-bbe7-6077fb307d0a"},{"columnId":"f549d182-14e5-4395-b185-4cd192e4030c"}],"layerId":"b12aced8-11a0-4a83-a7c5-129f142e8f04","layerType":"data"}},"title":"Endgame - File Username","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1074],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDUzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"e5f77e35-1bc5-4487-9602-e2962cafa87b":{"columnOrder":["ade5af28-bac8-4a2d-adff-28580282a9d2","bb5f0057-5e74-4baf-9839-aff53de6d145","e480935c-b388-48c6-9582-fb4600b462fb"],"columns":{"ade5af28-bac8-4a2d-adff-28580282a9d2":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"file.name","operationType":"terms","params":{"missingBucket":true,"orderBy":{"columnId":"e480935c-b388-48c6-9582-fb4600b462fb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":25},"scale":"ordinal","sourceField":"file.name"},"bb5f0057-5e74-4baf-9839-aff53de6d145":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"file.path","operationType":"terms","params":{"missingBucket":true,"orderBy":{"columnId":"e480935c-b388-48c6-9582-fb4600b462fb","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"file.path"},"e480935c-b388-48c6-9582-fb4600b462fb":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"ade5af28-bac8-4a2d-adff-28580282a9d2","isTransposed":false},{"columnId":"e480935c-b388-48c6-9582-fb4600b462fb","isTransposed":false},{"columnId":"bb5f0057-5e74-4baf-9839-aff53de6d145","isTransposed":false}],"layerId":"e5f77e35-1bc5-4487-9602-e2962cafa87b","layerType":"data"}},"title":"Endgame - File Name","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"676296e0-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1079],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"377145dd-d931-4e01-8719-fa4e36df631a":{"columnOrder":["6ba09492-0ce8-4f51-9263-e85a0a74225c","123ad80c-6989-4387-a25a-9f0a60d6ea7b"],"columns":{"123ad80c-6989-4387-a25a-9f0a60d6ea7b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"6ba09492-0ce8-4f51-9263-e85a0a74225c":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"123ad80c-6989-4387-a25a-9f0a60d6ea7b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"host.name"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"6ba09492-0ce8-4f51-9263-e85a0a74225c"},{"columnId":"123ad80c-6989-4387-a25a-9f0a60d6ea7b"}],"layerId":"377145dd-d931-4e01-8719-fa4e36df631a","layerType":"data"}},"title":"Endgame - File Hostname","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"74daec50-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1084],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3320254d-3b41-4746-946e-70357e58da19":{"columnOrder":["4a9a0ae7-34cc-407e-8f0c-a60c234179b7","9ee7fb17-68de-4b29-b3e8-21336f4b15ca"],"columns":{"4a9a0ae7-34cc-407e-8f0c-a60c234179b7":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.type","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9ee7fb17-68de-4b29-b3e8-21336f4b15ca","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.type"},"9ee7fb17-68de-4b29-b3e8-21336f4b15ca":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["4a9a0ae7-34cc-407e-8f0c-a60c234179b7"],"layerId":"3320254d-3b41-4746-946e-70357e58da19","layerType":"data","legendDisplay":"default","metric":"9ee7fb17-68de-4b29-b3e8-21336f4b15ca","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - File Event Type (Donut)","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1089],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU2LDE1XQ=="} -{"attributes":{"columns":["file.name","file.directory"],"description":"","grid":{},"hideChart":false,"hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - File Search","version":1},"coreMigrationVersion":"7.16.2","id":"90facda0-6f08-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,1092],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":12,\"i\":\"d3fd89cc-9483-41b1-90e8-c2e86b862d4c\"},\"panelIndex\":\"d3fd89cc-9483-41b1-90e8-c2e86b862d4c\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"panelRefName\":\"panel_d3fd89cc-9483-41b1-90e8-c2e86b862d4c\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":13,\"h\":12,\"i\":\"dcf897df-beb2-4a1b-86b2-4b8b0370aa94\"},\"panelIndex\":\"dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\",\"accessor\":\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\",\"layerType\":\"data\"},\"query\":{\"query\":\"event.category.keyword : \\\"file\\\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\":{\"columns\":{\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File All Logs\",\"panelRefName\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":12,\"i\":\"fb5061a4-571d-4f4d-a3b5-fd7851d324ca\"},\"panelIndex\":\"fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"10863c78-73fc-4739-88ea-b6e3419da4db\",\"accessors\":[\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e472c6a1-d786-43f7-95f0-df55a990e268\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"10863c78-73fc-4739-88ea-b6e3419da4db\":{\"columns\":{\"e472c6a1-d786-43f7-95f0-df55a990e268\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"e472c6a1-d786-43f7-95f0-df55a990e268\",\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Log Count Over Time\",\"panelRefName\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":32,\"h\":16,\"i\":\"30774bd7-ee7f-4c21-aa67-104e961664ee\"},\"panelIndex\":\"30774bd7-ee7f-4c21-aa67-104e961664ee\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"860e44c0-e06a-4d8a-9172-b542532df353\",\"accessors\":[\"63defa8c-527b-4165-9fb9-4e564bd03695\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\",\"splitAccessor\":\"55eacb06-199f-41eb-b6dc-b5b1407b7073\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"860e44c0-e06a-4d8a-9172-b542532df353\":{\"columns\":{\"55eacb06-199f-41eb-b6dc-b5b1407b7073\":{\"label\":\"Top values of event.action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"63defa8c-527b-4165-9fb9-4e564bd03695\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"63defa8c-527b-4165-9fb9-4e564bd03695\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"55eacb06-199f-41eb-b6dc-b5b1407b7073\",\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\",\"63defa8c-527b-4165-9fb9-4e564bd03695\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Event Action\",\"panelRefName\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":12,\"w\":16,\"h\":16,\"i\":\"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\"},\"panelIndex\":\"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"b12aced8-11a0-4a83-a7c5-129f142e8f04\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\"},{\"columnId\":\"f549d182-14e5-4395-b185-4cd192e4030c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b12aced8-11a0-4a83-a7c5-129f142e8f04\":{\"columns\":{\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\":{\"label\":\"Top values of user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f549d182-14e5-4395-b185-4cd192e4030c\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"f549d182-14e5-4395-b185-4cd192e4030c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\",\"f549d182-14e5-4395-b185-4cd192e4030c\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Username\",\"panelRefName\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":31,\"i\":\"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\"},\"panelIndex\":\"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"ade5af28-bac8-4a2d-adff-28580282a9d2\"},{\"isTransposed\":false,\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},{\"columnId\":\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5f77e35-1bc5-4487-9602-e2962cafa87b\":{\"columns\":{\"ade5af28-bac8-4a2d-adff-28580282a9d2\":{\"label\":\"Top values of file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}},\"e480935c-b388-48c6-9582-fb4600b462fb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bb5f0057-5e74-4baf-9839-aff53de6d145\":{\"label\":\"Top values of file.path\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.path\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}}},\"columnOrder\":[\"ade5af28-bac8-4a2d-adff-28580282a9d2\",\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"e480935c-b388-48c6-9582-fb4600b462fb\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - File Name\",\"panelRefName\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":11,\"i\":\"7e1aecd8-bbbe-453c-868b-8335f5ab65ea\"},\"panelIndex\":\"7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"377145dd-d931-4e01-8719-fa4e36df631a\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"6ba09492-0ce8-4f51-9263-e85a0a74225c\"},{\"columnId\":\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"377145dd-d931-4e01-8719-fa4e36df631a\":{\"columns\":{\"6ba09492-0ce8-4f51-9263-e85a0a74225c\":{\"label\":\"Top values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"6ba09492-0ce8-4f51-9263-e85a0a74225c\",\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Hostname\",\"panelRefName\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":39,\"w\":25,\"h\":20,\"i\":\"9fa50224-7ba0-4adb-806a-bca0ddaf81d0\"},\"panelIndex\":\"9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3320254d-3b41-4746-946e-70357e58da19\",\"groups\":[\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\"],\"metric\":\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3320254d-3b41-4746-946e-70357e58da19\":{\"columns\":{\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\":{\"label\":\"Top values of event.type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.type\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\",\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"fa53d234-1d45-4a90-8468-631012e68ce8\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to File Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Endgame - File Event Type (Donut)\",\"panelRefName\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\"},{\"version\":\"7.16.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":59,\"w\":48,\"h\":16,\"i\":\"0f24d345-114e-44a8-ac45-75258008cf3b\"},\"panelIndex\":\"0f24d345-114e-44a8-ac45-75258008cf3b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0f24d345-114e-44a8-ac45-75258008cf3b\"}]","timeRestore":false,"title":"Endgame - File","version":1},"coreMigrationVersion":"7.16.2","id":"4923ad00-6349-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"d3fd89cc-9483-41b1-90e8-c2e86b862d4c:panel_d3fd89cc-9483-41b1-90e8-c2e86b862d4c","type":"visualization"},{"id":"3505d400-6d6d-11ec-864c-8b5450f97635","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94","type":"lens"},{"id":"3505d400-6d6d-11ec-864c-8b5450f97635","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94","type":"lens"},{"id":"3505d400-6d6d-11ec-864c-8b5450f97635","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94","type":"lens"},{"id":"3505d400-6d6d-11ec-864c-8b5450f97635","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94","type":"lens"},{"id":"3505d400-6d6d-11ec-864c-8b5450f97635","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94","type":"lens"},{"id":"endgame-*","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0","type":"index-pattern"},{"id":"endgame-*","name":"dcf897df-beb2-4a1b-86b2-4b8b0370aa94:filter-index-pattern-0","type":"index-pattern"},{"id":"42a22c30-6d6d-11ec-864c-8b5450f97635","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca","type":"lens"},{"id":"42a22c30-6d6d-11ec-864c-8b5450f97635","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca","type":"lens"},{"id":"42a22c30-6d6d-11ec-864c-8b5450f97635","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca","type":"lens"},{"id":"42a22c30-6d6d-11ec-864c-8b5450f97635","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca","type":"lens"},{"id":"42a22c30-6d6d-11ec-864c-8b5450f97635","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca","type":"lens"},{"id":"endgame-*","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db","type":"index-pattern"},{"id":"endgame-*","name":"fb5061a4-571d-4f4d-a3b5-fd7851d324ca:filter-index-pattern-0","type":"index-pattern"},{"id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee","type":"lens"},{"id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee","type":"lens"},{"id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee","type":"lens"},{"id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee","type":"lens"},{"id":"4d6bdc60-6d6d-11ec-864c-8b5450f97635","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee","type":"lens"},{"id":"endgame-*","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353","type":"index-pattern"},{"id":"endgame-*","name":"30774bd7-ee7f-4c21-aa67-104e961664ee:filter-index-pattern-0","type":"index-pattern"},{"id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1","type":"lens"},{"id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1","type":"lens"},{"id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1","type":"lens"},{"id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1","type":"lens"},{"id":"5a43fa30-6d6d-11ec-864c-8b5450f97635","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1","type":"lens"},{"id":"endgame-*","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04","type":"index-pattern"},{"id":"endgame-*","name":"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:filter-index-pattern-0","type":"index-pattern"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"endgame-*","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b","type":"index-pattern"},{"id":"endgame-*","name":"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:filter-index-pattern-0","type":"index-pattern"},{"id":"74daec50-6d6d-11ec-864c-8b5450f97635","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea","type":"lens"},{"id":"74daec50-6d6d-11ec-864c-8b5450f97635","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea","type":"lens"},{"id":"74daec50-6d6d-11ec-864c-8b5450f97635","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea","type":"lens"},{"id":"74daec50-6d6d-11ec-864c-8b5450f97635","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea","type":"lens"},{"id":"74daec50-6d6d-11ec-864c-8b5450f97635","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea","type":"lens"},{"id":"endgame-*","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a","type":"index-pattern"},{"id":"endgame-*","name":"7e1aecd8-bbbe-453c-868b-8335f5ab65ea:filter-index-pattern-0","type":"index-pattern"},{"id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0","type":"lens"},{"id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0","type":"lens"},{"id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0","type":"lens"},{"id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0","type":"lens"},{"id":"82ab9af0-6d6d-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0","type":"lens"},{"id":"endgame-*","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19","type":"index-pattern"},{"id":"endgame-*","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:filter-index-pattern-0","type":"index-pattern"},{"id":"4923ad00-6349-11ec-864c-8b5450f97635","name":"9fa50224-7ba0-4adb-806a-bca0ddaf81d0:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:fa53d234-1d45-4a90-8468-631012e68ce8:dashboardId","type":"dashboard"},{"id":"90facda0-6f08-11ec-864c-8b5450f97635","name":"0f24d345-114e-44a8-ac45-75258008cf3b:panel_0f24d345-114e-44a8-ac45-75258008cf3b","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1153],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Request From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"},"coreMigrationVersion":"7.16.2","id":"49384710-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1155],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Network - Transport","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"},"coreMigrationVersion":"7.16.2","id":"499a0690-6ead-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1157],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDYwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"},"coreMigrationVersion":"7.16.2","id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1159],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDYxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3a9904aa-0df2-48a5-b981-ae47f20e29d3":{"columnOrder":["37a5b642-e2c0-4005-88c9-d4e1f9016648"],"columns":{"37a5b642-e2c0-4005-88c9-d4e1f9016648":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Logs","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"accessor":"37a5b642-e2c0-4005-88c9-d4e1f9016648","layerId":"3a9904aa-0df2-48a5-b981-ae47f20e29d3","layerType":"data"}},"title":"Endgame - Network Metric","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"ec0fa520-6329-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3a9904aa-0df2-48a5-b981-ae47f20e29d3","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1164],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDYyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"909005b3-b986-4bf6-9504-f4a9c877a966":{"columnOrder":["b65c177b-364a-4656-854a-69e6b07f05ff","98109e10-1bb1-4a93-bd3f-64a228aba2c4"],"columns":{"98109e10-1bb1-4a93-bd3f-64a228aba2c4":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"b65c177b-364a-4656-854a-69e6b07f05ff":{"dataType":"string","isBucketed":true,"label":"Top values of network.transport","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"98109e10-1bb1-4a93-bd3f-64a228aba2c4","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"network.transport"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["b65c177b-364a-4656-854a-69e6b07f05ff"],"layerId":"909005b3-b986-4bf6-9504-f4a9c877a966","layerType":"data","legendDisplay":"show","metric":"98109e10-1bb1-4a93-bd3f-64a228aba2c4","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - Network Protocol","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"a82d8250-6324-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1169],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDYzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"f2b4871a-9aca-4016-848c-331b8c221cf7":{"columnOrder":["a06965e8-9258-490d-9765-54afc2fb5073","e81257d5-bbe1-406d-b8b7-01db30a05390"],"columns":{"a06965e8-9258-490d-9765-54afc2fb5073":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"source.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e81257d5-bbe1-406d-b8b7-01db30a05390","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"source.ip"},"e81257d5-bbe1-406d-b8b7-01db30a05390":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"a06965e8-9258-490d-9765-54afc2fb5073"},{"columnId":"e81257d5-bbe1-406d-b8b7-01db30a05390"}],"layerId":"f2b4871a-9aca-4016-848c-331b8c221cf7","layerType":"data"}},"title":"Endgame - Network Source IP","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1173],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"d76872f3-61fb-4b26-8440-0ca886e33224":{"columnOrder":["822af2db-f82f-4f05-a4c3-8c6b7808d79a","6f747e8d-b264-42e8-ae88-2df81bf5bfa5"],"columns":{"6f747e8d-b264-42e8-ae88-2df81bf5bfa5":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"822af2db-f82f-4f05-a4c3-8c6b7808d79a":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"destination.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"6f747e8d-b264-42e8-ae88-2df81bf5bfa5","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"destination.ip"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"822af2db-f82f-4f05-a4c3-8c6b7808d79a"},{"columnId":"6f747e8d-b264-42e8-ae88-2df81bf5bfa5"}],"layerId":"d76872f3-61fb-4b26-8440-0ca886e33224","layerType":"data"}},"title":"Endgame - Network Destination IP","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"c7f8be60-6e41-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1177],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY1LDE1XQ=="} -{"attributes":{"columns":[],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"network\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"network\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - Network Search","version":1},"coreMigrationVersion":"7.16.2","id":"4e1aa7c0-6ed2-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,1180],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Endgame - Network Heatmap","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 5,500,000,000\":\"rgb(247,252,245)\",\"5,500,000,000 - 11,000,000,000\":\"rgb(198,232,191)\",\"11,000,000,000 - 16,500,000,000\":\"rgb(114,195,120)\",\"16,500,000,000 - 22,000,000,000\":\"rgb(34,139,69)\"},\"legendOpen\":true}}","version":1,"visState":"{\"title\":\"Endgame - Network Heatmap\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.bytes\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"source.ip\"},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"destination.ip\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"},"coreMigrationVersion":"7.16.2","id":"de389910-6f0a-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"4e1aa7c0-6ed2-11ec-864c-8b5450f97635","name":"search_0","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1183],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY3LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"89c7faa8-15c2-4772-95a6-8049a683be1a":{"columnOrder":["0cf6d6cf-9585-4e5f-8729-af8484507670","fa5a503a-c448-4dc7-8b1e-5679822218ae","e520b985-a9b8-4183-b29c-61373ed817c8","9079d4df-8e60-4749-bc38-b3b52782f71d"],"columns":{"0cf6d6cf-9585-4e5f-8729-af8484507670":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"dns.question.type","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9079d4df-8e60-4749-bc38-b3b52782f71d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dns.question.type"},"9079d4df-8e60-4749-bc38-b3b52782f71d":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"e520b985-a9b8-4183-b29c-61373ed817c8":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"dns.question.registered_domain","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9079d4df-8e60-4749-bc38-b3b52782f71d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dns.question.registered_domain"},"fa5a503a-c448-4dc7-8b1e-5679822218ae":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"dns.question.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"9079d4df-8e60-4749-bc38-b3b52782f71d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":100},"scale":"ordinal","sourceField":"dns.question.name"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"0cf6d6cf-9585-4e5f-8729-af8484507670","isTransposed":false},{"columnId":"e520b985-a9b8-4183-b29c-61373ed817c8","isTransposed":false},{"columnId":"fa5a503a-c448-4dc7-8b1e-5679822218ae","isTransposed":false},{"columnId":"9079d4df-8e60-4749-bc38-b3b52782f71d","isTransposed":false}],"layerId":"89c7faa8-15c2-4772-95a6-8049a683be1a","layerType":"data"}},"title":"Endgame - DNS Records","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"85048e40-6329-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1188],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6":{"columnOrder":["bc7ded30-7099-4284-93f9-61bc44cd1b20","1219efed-4a09-4e75-b721-b5b581968e14"],"columns":{"1219efed-4a09-4e75-b721-b5b581968e14":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"bc7ded30-7099-4284-93f9-61bc44cd1b20":{"dataType":"string","isBucketed":true,"label":"Top values of user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1219efed-4a09-4e75-b721-b5b581968e14","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"user.name"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"network"},"type":"phrase"},"query":{"match_phrase":{"event.category":"network"}}},{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-1","key":"event.type","negate":false,"params":{"query":"info"},"type":"phrase"},"query":{"match_phrase":{"event.type":"info"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["bc7ded30-7099-4284-93f9-61bc44cd1b20","bc7ded30-7099-4284-93f9-61bc44cd1b20"],"layerId":"6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6","layerType":"data","legendDisplay":"show","metric":"1219efed-4a09-4e75-b721-b5b581968e14","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - DNS Requests Chart","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"f30bef10-6328-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-1","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1194],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDY5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":10,\"i\":\"5485c8f5-90ea-409f-8522-f0a58716a12e\"},\"panelIndex\":\"5485c8f5-90ea-409f-8522-f0a58716a12e\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_5485c8f5-90ea-409f-8522-f0a58716a12e\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":14,\"h\":10,\"i\":\"2fcc00ab-4db8-4760-9bd0-111a3cd1c822\"},\"panelIndex\":\"2fcc00ab-4db8-4760-9bd0-111a3cd1c822\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2fcc00ab-4db8-4760-9bd0-111a3cd1c822\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":12,\"h\":13,\"i\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\"},\"panelIndex\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"909005b3-b986-4bf6-9504-f4a9c877a966\",\"groups\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\"],\"metric\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"909005b3-b986-4bf6-9504-f4a9c877a966\":{\"columns\":{\"b65c177b-364a-4656-854a-69e6b07f05ff\":{\"label\":\"Top values of network.transport\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.transport\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\",\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Transport\",\"panelRefName\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":36,\"y\":0,\"w\":12,\"h\":13,\"i\":\"3db56ff3-17bb-4304-95ca-5b7b6254257a\"},\"panelIndex\":\"3db56ff3-17bb-4304-95ca-5b7b6254257a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3db56ff3-17bb-4304-95ca-5b7b6254257a\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":19,\"i\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\"},\"panelIndex\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58\"}],\"state\":{\"visualization\":{\"layerId\":\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\"},{\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\":{\"columns\":{\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\":{\"label\":\"Top values of event.category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.category\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"92a4b279-4a18-4513-a75c-52dcf79a6801\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\",\"92a4b279-4a18-4513-a75c-52dcf79a6801\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Events\",\"panelRefName\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":13,\"w\":12,\"h\":16,\"i\":\"55ac1386-6ccb-4926-813d-1dc397a60036\"},\"panelIndex\":\"55ac1386-6ccb-4926-813d-1dc397a60036\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7\"}],\"state\":{\"visualization\":{\"layerId\":\"f2b4871a-9aca-4016-848c-331b8c221cf7\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"a06965e8-9258-490d-9765-54afc2fb5073\"},{\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f2b4871a-9aca-4016-848c-331b8c221cf7\":{\"columns\":{\"a06965e8-9258-490d-9765-54afc2fb5073\":{\"label\":\"Top values of source.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e81257d5-bbe1-406d-b8b7-01db30a05390\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"a06965e8-9258-490d-9765-54afc2fb5073\",\"e81257d5-bbe1-406d-b8b7-01db30a05390\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Source IP\",\"panelRefName\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":36,\"y\":13,\"w\":12,\"h\":16,\"i\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\"},\"panelIndex\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224\"}],\"state\":{\"visualization\":{\"layerId\":\"d76872f3-61fb-4b26-8440-0ca886e33224\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\"},{\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d76872f3-61fb-4b26-8440-0ca886e33224\":{\"columns\":{\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\":{\"label\":\"Top values of destination.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\",\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Destination IP\",\"panelRefName\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":12,\"i\":\"93e059d5-fc50-4357-9dfa-939f48da5834\"},\"panelIndex\":\"93e059d5-fc50-4357-9dfa-939f48da5834\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93e059d5-fc50-4357-9dfa-939f48da5834\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":41,\"w\":48,\"h\":21,\"i\":\"cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\"},\"panelIndex\":\"cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":62,\"w\":28,\"h\":17,\"i\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\"},\"panelIndex\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a\"}],\"state\":{\"visualization\":{\"layerId\":\"89c7faa8-15c2-4772-95a6-8049a683be1a\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"0cf6d6cf-9585-4e5f-8729-af8484507670\"},{\"isTransposed\":false,\"columnId\":\"e520b985-a9b8-4183-b29c-61373ed817c8\"},{\"isTransposed\":false,\"columnId\":\"fa5a503a-c448-4dc7-8b1e-5679822218ae\"},{\"isTransposed\":false,\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"89c7faa8-15c2-4772-95a6-8049a683be1a\":{\"columns\":{\"0cf6d6cf-9585-4e5f-8729-af8484507670\":{\"label\":\"Top values of dns.question.type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e520b985-a9b8-4183-b29c-61373ed817c8\":{\"label\":\"Top values of dns.question.registered_domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.registered_domain\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"fa5a503a-c448-4dc7-8b1e-5679822218ae\":{\"label\":\"Top values of dns.question.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"9079d4df-8e60-4749-bc38-b3b52782f71d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cf6d6cf-9585-4e5f-8729-af8484507670\",\"e520b985-a9b8-4183-b29c-61373ed817c8\",\"fa5a503a-c448-4dc7-8b1e-5679822218ae\",\"9079d4df-8e60-4749-bc38-b3b52782f71d\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network DNS Query\",\"panelRefName\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":28,\"y\":62,\"w\":20,\"h\":17,\"i\":\"0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\"},\"panelIndex\":\"0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Network DNS Requests Chart\",\"panelRefName\":\"panel_0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":17,\"i\":\"fb5ece46-c6e7-4d56-a48a-607783ad818f\"},\"panelIndex\":\"fb5ece46-c6e7-4d56-a48a-607783ad818f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fb5ece46-c6e7-4d56-a48a-607783ad818f\"}]","timeRestore":false,"title":"Endgame - Network","version":1},"coreMigrationVersion":"7.16.2","id":"49d34770-53b2-11ec-b3ef-6bcc33056a36","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"5485c8f5-90ea-409f-8522-f0a58716a12e:panel_5485c8f5-90ea-409f-8522-f0a58716a12e","type":"visualization"},{"id":"ec0fa520-6329-11ec-864c-8b5450f97635","name":"2fcc00ab-4db8-4760-9bd0-111a3cd1c822:panel_2fcc00ab-4db8-4760-9bd0-111a3cd1c822","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"a82d8250-6324-11ec-864c-8b5450f97635","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800","type":"lens"},{"id":"endgame-*","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966","type":"index-pattern"},{"id":"2f20b2c0-6323-11ec-864c-8b5450f97635","name":"3db56ff3-17bb-4304-95ca-5b7b6254257a:panel_3db56ff3-17bb-4304-95ca-5b7b6254257a","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"22ffcc70-6322-11ec-864c-8b5450f97635","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10","type":"lens"},{"id":"endgame-*","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58","type":"index-pattern"},{"id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","name":"55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036","type":"lens"},{"id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","name":"55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036","type":"lens"},{"id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","name":"55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036","type":"lens"},{"id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","name":"55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036","type":"lens"},{"id":"ac2e7c60-6e41-11ec-864c-8b5450f97635","name":"55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036","type":"lens"},{"id":"endgame-*","name":"55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7","type":"index-pattern"},{"id":"c7f8be60-6e41-11ec-864c-8b5450f97635","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6","type":"lens"},{"id":"c7f8be60-6e41-11ec-864c-8b5450f97635","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6","type":"lens"},{"id":"c7f8be60-6e41-11ec-864c-8b5450f97635","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6","type":"lens"},{"id":"c7f8be60-6e41-11ec-864c-8b5450f97635","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6","type":"lens"},{"id":"c7f8be60-6e41-11ec-864c-8b5450f97635","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6","type":"lens"},{"id":"endgame-*","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224","type":"index-pattern"},{"id":"38c95ae0-6e4d-11ec-864c-8b5450f97635","name":"93e059d5-fc50-4357-9dfa-939f48da5834:panel_93e059d5-fc50-4357-9dfa-939f48da5834","type":"lens"},{"id":"de389910-6f0a-11ec-864c-8b5450f97635","name":"cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002:panel_cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002","type":"visualization"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"85048e40-6329-11ec-864c-8b5450f97635","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b","type":"lens"},{"id":"endgame-*","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a","type":"index-pattern"},{"id":"f30bef10-6328-11ec-864c-8b5450f97635","name":"0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1:panel_0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1","type":"lens"},{"id":"4e1aa7c0-6ed2-11ec-864c-8b5450f97635","name":"fb5ece46-c6e7-4d56-a48a-607783ad818f:panel_fb5ece46-c6e7-4d56-a48a-607783ad818f","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1262],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDcwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Protocol (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"coreMigrationVersion":"7.16.2","id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1264],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Request Type (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1266],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network - Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"},"coreMigrationVersion":"7.16.2","id":"4adca340-6eae-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,1268],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Alexa Top Sites","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"},"coreMigrationVersion":"7.16.2","id":"4d89e140-6f09-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1270],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1272],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Source - Top Connection Duration","version":1},"coreMigrationVersion":"7.16.2","id":"4e108070-46c7-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5ea38360-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"sort":[1643385898421,1275],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Section Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1277],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DHCP - IP to MAC Assignment","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"4e877100-4a48-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1279],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Issuer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"},"coreMigrationVersion":"7.16.2","id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1281],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Server Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"4fade7b0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1283],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1285],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c3a06740-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1287],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"df06de60-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1289],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1291],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Protocol","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1293],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Firewall - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHH3kBxQT5EBNmq459","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1295],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - Firewall","version":1},"coreMigrationVersion":"7.16.2","id":"50173bd0-3582-11e7-98ef-19df58fe538b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e76d2eb0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"c3a06740-6d75-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"df06de60-6d75-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"2a1eb100-6d82-11e7-bcd4-0d514e0e7da1","name":"panel_4","type":"visualization"},{"id":"fcf75bc0-6d75-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"f8f0dbc0-6d82-11e7-912f-0950e6d5c322","name":"panel_6","type":"visualization"},{"id":"37c16940-6d6b-11e7-ad64-15aa071374a6","name":"panel_7","type":"search"},{"id":"AWDHH3kBxQT5EBNmq459","name":"panel_8","type":"visualization"}],"sort":[1643385898421,1305],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - File Size","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"},"coreMigrationVersion":"7.16.2","id":"50b4c880-72df-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1307],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"524e13b0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1309],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"},"coreMigrationVersion":"7.16.2","id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1311],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDkwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"53824da0-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1313],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1315],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1317],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDkzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"0600494b-6f03-450b-8dab-981005aedf32":{"columnOrder":["0f00561d-d6d7-46b2-af59-4ea225a9893a","34e0e2cc-aab4-4581-9bc4-aba527024007"],"columns":{"0f00561d-d6d7-46b2-af59-4ea225a9893a":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"34e0e2cc-aab4-4581-9bc4-aba527024007":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","params":{"format":{"id":"number","params":{"decimals":0}}},"scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":false,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["34e0e2cc-aab4-4581-9bc4-aba527024007"],"layerId":"0600494b-6f03-450b-8dab-981005aedf32","layerType":"data","position":"top","seriesType":"bar","showGridlines":false,"xAccessor":"0f00561d-d6d7-46b2-af59-4ea225a9893a"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Alert Log Count Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"53b9b490-6cc1-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1321],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk0LDE1XQ=="} -{"attributes":{"columns":["source_ip","source_port","destination_ip","destination_port","uid","_id"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"SMTP - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"a6cea530-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1323],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Webmail - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1325],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1327],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1329],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Tree","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"},"coreMigrationVersion":"7.16.2","id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1331],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MDk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - NTLM - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"},"coreMigrationVersion":"7.16.2","id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1333],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTAwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"c72c241d-5b6f-475c-831b-4419dd437a26\"},\"panelIndex\":\"c72c241d-5b6f-475c-831b-4419dd437a26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - NTLM","version":1},"coreMigrationVersion":"7.16.2","id":"558292e0-75c1-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"e9f31a70-75c2-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"8cb83890-75c2-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"63f139c0-75c2-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,1343],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTAxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":26,\"y\":9,\"w\":11,\"h\":19,\"i\":\"499d1548-292c-47a9-8f26-73a6af91d004\"},\"panelIndex\":\"499d1548-292c-47a9-8f26-73a6af91d004\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":29,\"i\":\"ae756423-c1d9-46f8-a1ee-28ee9626349d\"},\"panelIndex\":\"ae756423-c1d9-46f8-a1ee-28ee9626349d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":37,\"y\":9,\"w\":11,\"h\":19,\"i\":\"e79ec813-6af2-4618-ad48-a25444a8abe4\"},\"panelIndex\":\"e79ec813-6af2-4618-ad48-a25444a8abe4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - DNS","version":1},"coreMigrationVersion":"7.16.2","id":"55ac6bf0-6ec4-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"13cda410-c770-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"},{"id":"07065340-72ba-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"536876a0-72ba-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"},{"id":"336dbde0-88aa-11eb-9841-852c8cc8a2e8","name":"panel_10","type":"visualization"}],"sort":[1643385898421,1355],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTAyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"e980cacd-054a-4c43-95aa-1b036dac04fd":{"columnOrder":["81df4048-abc0-4b0f-a7ec-9cf28f8cb367","528ff47c-2e2a-40e5-a5be-2983ecff6031","c2e1a93b-7344-40a5-9926-fc15afd832f0","5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a","ad97207d-9f1a-4d60-9db3-0719f5596b29"],"columns":{"528ff47c-2e2a-40e5-a5be-2983ecff6031":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"IP","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ad97207d-9f1a-4d60-9db3-0719f5596b29","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.ip"},"5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Version","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ad97207d-9f1a-4d60-9db3-0719f5596b29","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.os.version"},"81df4048-abc0-4b0f-a7ec-9cf28f8cb367":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Hostname","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ad97207d-9f1a-4d60-9db3-0719f5596b29","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"host.name"},"ad97207d-9f1a-4d60-9db3-0719f5596b29":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Total Logs","operationType":"count","scale":"ratio","sourceField":"Records"},"c2e1a93b-7344-40a5-9926-fc15afd832f0":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"OS","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ad97207d-9f1a-4d60-9db3-0719f5596b29","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.os.name"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"ad97207d-9f1a-4d60-9db3-0719f5596b29","isTransposed":false},{"columnId":"81df4048-abc0-4b0f-a7ec-9cf28f8cb367","isTransposed":false},{"columnId":"528ff47c-2e2a-40e5-a5be-2983ecff6031","isTransposed":false},{"columnId":"c2e1a93b-7344-40a5-9926-fc15afd832f0","isTransposed":false},{"columnId":"5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a","isTransposed":false}],"layerId":"e980cacd-054a-4c43-95aa-1b036dac04fd","layerType":"data"}},"title":"Endgame - Host Table","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"55edc2d0-68b4-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-e980cacd-054a-4c43-95aa-1b036dac04fd","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1359],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTAzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"85b1f890-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1361],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1363],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e4615200-35b7-11e7-a994-c528746bc6e8","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1365],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"IRC - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG_HoKxQT5EBNmq4KN","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1367],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Destination Country","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1369],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"IRC - Command","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"},"coreMigrationVersion":"7.16.2","id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1371],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTA5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - Bro - IRC","version":1},"coreMigrationVersion":"7.16.2","id":"56a34ce0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"85b1f890-35b7-11e7-a994-c528746bc6e8","name":"panel_1","type":"visualization"},{"id":"bf959cb0-35b7-11e7-a994-c528746bc6e8","name":"panel_2","type":"visualization"},{"id":"e4615200-35b7-11e7-a994-c528746bc6e8","name":"panel_3","type":"visualization"},{"id":"344c6010-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"3c073d20-6e17-11e7-8624-1fb07dd76c6a","name":"panel_5","type":"visualization"},{"id":"AWDG_HoKxQT5EBNmq4KN","name":"panel_6","type":"visualization"},{"id":"f625b7b0-4a56-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"},{"id":"7bc09930-4a57-11e8-9b0a-f1d33346f773","name":"panel_8","type":"visualization"}],"sort":[1643385898421,1381],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1383],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTExLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Lease Time","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"},"coreMigrationVersion":"7.16.2","id":"58c84f60-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1385],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTEyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"46832f84-f86b-4914-a3ac-aaeda9f09cf7":{"columnOrder":["77069155-4e9a-4727-b888-648fed60258e","e7878efe-2181-449d-afd3-771296665829","738c056c-c4eb-4855-a690-90fa5b9e23f8","02c8c47e-9b96-4384-b467-1fd9cff2b78b","d61f74aa-1899-4881-a2cc-d0dc7cbf28df","6de07e81-5ee7-4885-af47-26b401667757","895abdf3-8c99-4473-a904-b379d478aae1","e30b3573-c58d-4b82-853d-70c1d090d641"],"columns":{"02c8c47e-9b96-4384-b467-1fd9cff2b78b":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.command_line","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.command_line"},"6de07e81-5ee7-4885-af47-26b401667757":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"file.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"file.name"},"738c056c-c4eb-4855-a690-90fa5b9e23f8":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Category","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"event.category"},"77069155-4e9a-4727-b888-648fed60258e":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.id (click on + to go to Endgame)","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"event.id"},"895abdf3-8c99-4473-a904-b379d478aae1":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.domain","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.domain"},"d61f74aa-1899-4881-a2cc-d0dc7cbf28df":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.name"},"e30b3573-c58d-4b82-853d-70c1d090d641":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"e7878efe-2181-449d-afd3-771296665829":{"customLabel":true,"dataType":"number","isBucketed":true,"label":"Severity","operationType":"range","params":{"maxBars":"auto","ranges":[{"from":0,"label":"","to":1000}],"type":"histogram"},"scale":"interval","sourceField":"event.severity"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"columns":[{"columnId":"77069155-4e9a-4727-b888-648fed60258e","isTransposed":false},{"alignment":"center","columnId":"e7878efe-2181-449d-afd3-771296665829","isTransposed":false},{"columnId":"738c056c-c4eb-4855-a690-90fa5b9e23f8","isTransposed":false},{"columnId":"02c8c47e-9b96-4384-b467-1fd9cff2b78b","isTransposed":false},{"columnId":"d61f74aa-1899-4881-a2cc-d0dc7cbf28df","isTransposed":false},{"columnId":"6de07e81-5ee7-4885-af47-26b401667757","isTransposed":false},{"columnId":"895abdf3-8c99-4473-a904-b379d478aae1","isTransposed":false},{"columnId":"e30b3573-c58d-4b82-853d-70c1d090d641","hidden":true,"isTransposed":false}],"layerId":"46832f84-f86b-4914-a3ac-aaeda9f09cf7","layerType":"data"}},"title":"Endgame - Alerts with drilldown","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"5a203910-6cbe-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1389],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Log Count By Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"},"coreMigrationVersion":"7.16.2","id":"5b3988c0-a840-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1391],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Client Build","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"},"coreMigrationVersion":"7.16.2","id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1393],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RDP - Security Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"},"coreMigrationVersion":"7.16.2","id":"dad85840-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1395],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\"},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\"},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\"},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\"},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\"},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":7,\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\"},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":8,\"w\":7,\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\"},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":7,\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\"},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":8,\"w\":9,\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\"},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"f84fe347-bdda-4297-b460-eee297f7e91e\"},\"panelIndex\":\"f84fe347-bdda-4297-b460-eee297f7e91e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - RDP","version":1},"coreMigrationVersion":"7.16.2","id":"5b743150-75c5-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bdae8640-75c5-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"dad85840-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"0c006bb0-75c6-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"2e7363f0-75c6-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,1406],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Nodes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"5cba9760-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1408],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":50}}}}"},"coreMigrationVersion":"7.16.2","id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1411],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTE5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Categories with Full Event Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Categories with Full Event Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"endgame.event_type_full\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Event Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Event Category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"coreMigrationVersion":"7.16.2","id":"af1768b0-53ac-11ec-b3ef-6bcc33056a36","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1414],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTIwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"fe254730-eee5-4aff-b672-a83e54b49c12\"},\"panelIndex\":\"fe254730-eee5-4aff-b672-a83e54b49c12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fe254730-eee5-4aff-b672-a83e54b49c12\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":0,\"w\":25,\"h\":9,\"i\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\"},\"panelIndex\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5e96a8cf-1dab-4df2-a4be-baf960448da4\"},{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":38,\"y\":0,\"w\":10,\"h\":9,\"i\":\"38c65a86-724b-4c25-818b-1564fbb3793f\"},\"panelIndex\":\"38c65a86-724b-4c25-818b-1564fbb3793f\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Alert Count\",\"description\":\"\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"searchSource\":{\"index\":\"endgame-*\",\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"endgame-*\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"detection\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"detection\"}}}]}}},\"enhancements\":{},\"type\":\"visualization\"}},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":16,\"i\":\"680adbf3-9347-4c45-87b8-d87587e38b09\"},\"panelIndex\":\"680adbf3-9347-4c45-87b8-d87587e38b09\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_680adbf3-9347-4c45-87b8-d87587e38b09\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":9,\"w\":25,\"h\":16,\"i\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\"},\"panelIndex\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6569d104-bb49-4de6-8d2d-9dc49739b291\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":13,\"i\":\"4a354630-93fd-4370-b10f-80386aee6d00\"},\"panelIndex\":\"4a354630-93fd-4370-b10f-80386aee6d00\",\"embeddableConfig\":{\"columns\":[],\"enhancements\":{}},\"panelRefName\":\"panel_4a354630-93fd-4370-b10f-80386aee6d00\"}]","timeRestore":false,"title":"Endgame - Host","version":1},"coreMigrationVersion":"7.16.2","id":"5d8f04d0-53b6-11ec-b3ef-6bcc33056a36","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","name":"fe254730-eee5-4aff-b672-a83e54b49c12:panel_fe254730-eee5-4aff-b672-a83e54b49c12","type":"visualization"},{"id":"2f7966b0-53a4-11ec-b3ef-6bcc33056a36","name":"5e96a8cf-1dab-4df2-a4be-baf960448da4:panel_5e96a8cf-1dab-4df2-a4be-baf960448da4","type":"visualization"},{"id":"endgame-*","name":"38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"3b50b220-53ab-11ec-b3ef-6bcc33056a36","name":"680adbf3-9347-4c45-87b8-d87587e38b09:panel_680adbf3-9347-4c45-87b8-d87587e38b09","type":"visualization"},{"id":"af1768b0-53ac-11ec-b3ef-6bcc33056a36","name":"6569d104-bb49-4de6-8d2d-9dc49739b291:panel_6569d104-bb49-4de6-8d2d-9dc49739b291","type":"visualization"},{"id":"20c85b70-53aa-11ec-b3ef-6bcc33056a36","name":"4a354630-93fd-4370-b10f-80386aee6d00:panel_4a354630-93fd-4370-b10f-80386aee6d00","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1423],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1425],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"},"coreMigrationVersion":"7.16.2","id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1427],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTIzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Connection Information","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1429],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Process Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.executable.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Image\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Host - Process Name\"}"},"coreMigrationVersion":"7.16.2","id":"5e18a970-c77f-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1431],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"5e36c370-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1433],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Argument","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1435],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - FIle Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1437],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"97b747de-fee3-4557-84f6-3d6aecd1f5c7":{"columnOrder":["dccdca2f-fac1-43ce-8c74-d50a8a007366"],"columns":{"dccdca2f-fac1-43ce-8c74-d50a8a007366":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Hosts","operationType":"unique_count","scale":"ratio","sourceField":"host.ip"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"accessor":"dccdca2f-fac1-43ce-8c74-d50a8a007366","layerId":"97b747de-fee3-4557-84f6-3d6aecd1f5c7","layerType":"data"}},"title":"Endgame - Hosts Metric","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"df2ef610-6a1f-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1441],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTI5LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"fac6e4a9-2d36-463c-b2b0-b451546f6f20":{"columnOrder":["2bea62c1-f8ef-43c3-b9c3-1931437bc5db"],"columns":{"2bea62c1-f8ef-43c3-b9c3-1931437bc5db":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Alerts","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.action","negate":false,"params":{"query":"detection"},"type":"phrase"},"query":{"match_phrase":{"event.action":"detection"}}}],"query":{"language":"kuery","query":""},"visualization":{"accessor":"2bea62c1-f8ef-43c3-b9c3-1931437bc5db","layerId":"fac6e4a9-2d36-463c-b2b0-b451546f6f20","layerType":"data"}},"title":"Endgame - Alerts Metric","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"d07fce50-6a1f-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1446],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTMwLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"8acd9613-749e-4ecc-a97e-24fa0c586661":{"columnOrder":["8449f044-6a5e-439c-96a6-8512972b0b47","d31636dd-3123-499d-b049-f8f62bf4886c","78001c1d-52c1-42ad-ae15-d7d53f63443d"],"columns":{"78001c1d-52c1-42ad-ae15-d7d53f63443d":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"8449f044-6a5e-439c-96a6-8512972b0b47":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"d31636dd-3123-499d-b049-f8f62bf4886c":{"dataType":"string","isBucketed":true,"label":"Top values of host.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"78001c1d-52c1-42ad-ae15-d7d53f63443d","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.name"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["78001c1d-52c1-42ad-ae15-d7d53f63443d"],"layerId":"8acd9613-749e-4ecc-a97e-24fa0c586661","layerType":"data","position":"top","seriesType":"bar_stacked","showGridlines":false,"splitAccessor":"d31636dd-3123-499d-b049-f8f62bf4886c","xAccessor":"8449f044-6a5e-439c-96a6-8512972b0b47"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Logs Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"82185ff0-696d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-8acd9613-749e-4ecc-a97e-24fa0c586661","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1450],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTMxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9643f560-7a46-408c-b61d-ed2a87fc6103":{"columnOrder":["305b2f21-9981-40d5-a79b-f7a78eea89b4","3520723b-f0f3-4845-975c-e97380d8124b"],"columns":{"305b2f21-9981-40d5-a79b-f7a78eea89b4":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3520723b-f0f3-4845-975c-e97380d8124b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"process.name"},"3520723b-f0f3-4845-975c-e97380d8124b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"process\" "},"visualization":{"layers":[{"categoryDisplay":"default","groups":["305b2f21-9981-40d5-a79b-f7a78eea89b4"],"layerId":"9643f560-7a46-408c-b61d-ed2a87fc6103","layerType":"data","legendDisplay":"default","metric":"3520723b-f0f3-4845-975c-e97380d8124b","nestedLegend":false,"numberDisplay":"percent"}],"palette":{"name":"kibana_palette","type":"palette"},"shape":"treemap"}},"title":"Endgame - Processes","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"e2cff350-6ccc-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1454],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTMyLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3c3da49b-8bd7-4bda-a105-3ca8d03a92a1":{"columnOrder":["5879e1c5-7dc8-47b4-9e77-fcc86dace366"],"columns":{"5879e1c5-7dc8-47b4-9e77-fcc86dace366":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"process\" "},"visualization":{"accessor":"5879e1c5-7dc8-47b4-9e77-fcc86dace366","layerId":"3c3da49b-8bd7-4bda-a105-3ca8d03a92a1","layerType":"data"}},"title":"Endgame - Process Logs","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"ed1f0300-6cd1-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3c3da49b-8bd7-4bda-a105-3ca8d03a92a1","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1458],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTMzLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"13fd0aca-d81f-48ad-8ec0-f46d3fc261b9":{"columnOrder":["198cf7c0-6033-4379-bfca-2216fc2b6c1b","17394250-c888-4ac8-aff4-4a735e5d1c54"],"columns":{"17394250-c888-4ac8-aff4-4a735e5d1c54":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"198cf7c0-6033-4379-bfca-2216fc2b6c1b":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"process\" "},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["17394250-c888-4ac8-aff4-4a735e5d1c54"],"layerId":"13fd0aca-d81f-48ad-8ec0-f46d3fc261b9","layerType":"data","position":"top","seriesType":"area","showGridlines":false,"xAccessor":"198cf7c0-6033-4379-bfca-2216fc2b6c1b"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"area","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Process Log Count Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"f1e98360-6cd1-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-13fd0aca-d81f-48ad-8ec0-f46d3fc261b9","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1462],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3b6026b4-9c36-4fbc-9f90-bd5580303bea":{"columnOrder":["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721","ff0a89b4-427d-4739-bb83-86794a1f4289"],"columns":{"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"user.name"},"ff0a89b4-427d-4739-bb83-86794a1f4289":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"process\" "},"visualization":{"columns":[{"columnId":"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"},{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289"}],"layerId":"3b6026b4-9c36-4fbc-9f90-bd5580303bea","layerType":"data"}},"title":"Endgame - Process Users","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"e88fd030-6ccc-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1466],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"b4bc52f0-5c52-4bea-97fb-eb59f08750c7":{"columnOrder":["9c1ca31d-300f-4b75-868b-8a44e94694c6","dda96a38-363d-4f03-8c65-3d8376f7050e"],"columns":{"9c1ca31d-300f-4b75-868b-8a44e94694c6":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.action","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"dda96a38-363d-4f03-8c65-3d8376f7050e","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"event.action"},"dda96a38-363d-4f03-8c65-3d8376f7050e":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category: \"process\" "},"visualization":{"columns":[{"columnId":"9c1ca31d-300f-4b75-868b-8a44e94694c6"},{"columnId":"dda96a38-363d-4f03-8c65-3d8376f7050e"}],"layerId":"b4bc52f0-5c52-4bea-97fb-eb59f08750c7","layerType":"data"}},"title":"Endgame - Process Actions","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"edca7780-6ccc-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-b4bc52f0-5c52-4bea-97fb-eb59f08750c7","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1470],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"c2cf18da-c9a6-487f-9ddb-efd26330a73b":{"columnOrder":["ba18fc18-b228-49c5-b67f-f16d03268eb5","63fe9cc9-dd12-49c3-b6f6-51722074d378","0194a818-8b41-44d5-9081-e0351a922200","e17daf81-0320-4352-84b8-598d1b19f924"],"columns":{"0194a818-8b41-44d5-9081-e0351a922200":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.executable","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e17daf81-0320-4352-84b8-598d1b19f924","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.executable"},"63fe9cc9-dd12-49c3-b6f6-51722074d378":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.command_line","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e17daf81-0320-4352-84b8-598d1b19f924","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"process.command_line"},"ba18fc18-b228-49c5-b67f-f16d03268eb5":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"process.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"e17daf81-0320-4352-84b8-598d1b19f924","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"process.name"},"e17daf81-0320-4352-84b8-598d1b19f924":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"process\" "},"visualization":{"columns":[{"columnId":"ba18fc18-b228-49c5-b67f-f16d03268eb5","isTransposed":false,"width":243},{"columnId":"63fe9cc9-dd12-49c3-b6f6-51722074d378","isTransposed":false,"width":599},{"columnId":"0194a818-8b41-44d5-9081-e0351a922200","isTransposed":false,"width":771},{"columnId":"e17daf81-0320-4352-84b8-598d1b19f924","isTransposed":false,"width":233}],"layerId":"c2cf18da-c9a6-487f-9ddb-efd26330a73b","layerType":"data"}},"title":"Endgame - Process Information","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"dbb93900-6ccc-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-c2cf18da-c9a6-487f-9ddb-efd26330a73b","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1474],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":11,\"i\":\"26712c83-24f3-4af6-a20e-edab103002fd\"},\"panelIndex\":\"26712c83-24f3-4af6-a20e-edab103002fd\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_26712c83-24f3-4af6-a20e-edab103002fd\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":11,\"i\":\"b7feb2b8-999d-433e-9b12-85aacdc61f16\"},\"panelIndex\":\"b7feb2b8-999d-433e-9b12-85aacdc61f16\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Logs\",\"panelRefName\":\"panel_b7feb2b8-999d-433e-9b12-85aacdc61f16\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":11,\"i\":\"8b515da9-7c43-4e1a-872f-e92da896933f\"},\"panelIndex\":\"8b515da9-7c43-4e1a-872f-e92da896933f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Log Count Over Time\",\"panelRefName\":\"panel_8b515da9-7c43-4e1a-872f-e92da896933f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":15,\"i\":\"7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\"},\"panelIndex\":\"7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Processes\",\"panelRefName\":\"panel_7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":11,\"w\":10,\"h\":15,\"i\":\"26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\"},\"panelIndex\":\"26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Users\",\"panelRefName\":\"panel_26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":11,\"w\":14,\"h\":15,\"i\":\"508bbc67-1a96-465d-b30d-23aecaaf4895\"},\"panelIndex\":\"508bbc67-1a96-465d-b30d-23aecaaf4895\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Actions\",\"panelRefName\":\"panel_508bbc67-1a96-465d-b30d-23aecaaf4895\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":14,\"i\":\"a89ab8ad-a272-405f-8db8-4f722bbfeb61\"},\"panelIndex\":\"a89ab8ad-a272-405f-8db8-4f722bbfeb61\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Process Information\",\"panelRefName\":\"panel_a89ab8ad-a272-405f-8db8-4f722bbfeb61\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":17,\"i\":\"9248209e-9f35-48c5-958c-3cab215eb410\"},\"panelIndex\":\"9248209e-9f35-48c5-958c-3cab215eb410\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9248209e-9f35-48c5-958c-3cab215eb410\"}]","timeRestore":false,"title":"Endgame - Process","version":1},"coreMigrationVersion":"7.16.2","id":"790991a0-6287-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"26712c83-24f3-4af6-a20e-edab103002fd:panel_26712c83-24f3-4af6-a20e-edab103002fd","type":"visualization"},{"id":"ed1f0300-6cd1-11ec-864c-8b5450f97635","name":"b7feb2b8-999d-433e-9b12-85aacdc61f16:panel_b7feb2b8-999d-433e-9b12-85aacdc61f16","type":"lens"},{"id":"f1e98360-6cd1-11ec-864c-8b5450f97635","name":"8b515da9-7c43-4e1a-872f-e92da896933f:panel_8b515da9-7c43-4e1a-872f-e92da896933f","type":"lens"},{"id":"e2cff350-6ccc-11ec-864c-8b5450f97635","name":"7837aa9f-dca6-4a7b-9881-65f26b2a5f4f:panel_7837aa9f-dca6-4a7b-9881-65f26b2a5f4f","type":"lens"},{"id":"e88fd030-6ccc-11ec-864c-8b5450f97635","name":"26df0dd7-8042-4e69-a4b1-c8ed5a677f6a:panel_26df0dd7-8042-4e69-a4b1-c8ed5a677f6a","type":"lens"},{"id":"edca7780-6ccc-11ec-864c-8b5450f97635","name":"508bbc67-1a96-465d-b30d-23aecaaf4895:panel_508bbc67-1a96-465d-b30d-23aecaaf4895","type":"lens"},{"id":"dbb93900-6ccc-11ec-864c-8b5450f97635","name":"a89ab8ad-a272-405f-8db8-4f722bbfeb61:panel_a89ab8ad-a272-405f-8db8-4f722bbfeb61","type":"lens"},{"id":"424d7a60-6f0b-11ec-864c-8b5450f97635","name":"9248209e-9f35-48c5-958c-3cab215eb410:panel_9248209e-9f35-48c5-958c-3cab215eb410","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1484],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"521cff19-8a9b-4da3-9494-488b27d4dd82":{"columnOrder":["8dfaf54f-d93c-4ec7-b0ba-eb0952346f84","34b55020-af44-47dd-8789-141a3bded802","1f3dc877-ccc1-43a6-8405-b2866867032c"],"columns":{"1f3dc877-ccc1-43a6-8405-b2866867032c":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"34b55020-af44-47dd-8789-141a3bded802":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"registry.key","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1f3dc877-ccc1-43a6-8405-b2866867032c","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"registry.key"},"8dfaf54f-d93c-4ec7-b0ba-eb0952346f84":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.hostname","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"1f3dc877-ccc1-43a6-8405-b2866867032c","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"host.name"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category : \"registry\" "},"visualization":{"columns":[{"columnId":"8dfaf54f-d93c-4ec7-b0ba-eb0952346f84","isTransposed":false},{"columnId":"34b55020-af44-47dd-8789-141a3bded802","isTransposed":false},{"columnId":"1f3dc877-ccc1-43a6-8405-b2866867032c","isTransposed":false}],"layerId":"521cff19-8a9b-4da3-9494-488b27d4dd82","layerType":"data"}},"title":"Endgame - Registry Events","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"e1e12ab0-6cc5-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-521cff19-8a9b-4da3-9494-488b27d4dd82","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1488],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTM5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":9,\"i\":\"64356467-dfe4-4eed-b53d-0cdf0b94f6d0\"},\"panelIndex\":\"64356467-dfe4-4eed-b53d-0cdf0b94f6d0\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_64356467-dfe4-4eed-b53d-0cdf0b94f6d0\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":11,\"y\":0,\"w\":15,\"h\":9,\"i\":\"cc23bd7c-9000-4af9-875e-5779794011d0\"},\"panelIndex\":\"cc23bd7c-9000-4af9-875e-5779794011d0\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_cc23bd7c-9000-4af9-875e-5779794011d0\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":26,\"y\":0,\"w\":11,\"h\":9,\"i\":\"276394f1-fa5b-42b2-ab7c-8db18bd367a3\"},\"panelIndex\":\"276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7\"}],\"state\":{\"visualization\":{\"layerId\":\"97b747de-fee3-4557-84f6-3d6aecd1f5c7\",\"accessor\":\"dccdca2f-fac1-43ce-8c74-d50a8a007366\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"97b747de-fee3-4557-84f6-3d6aecd1f5c7\":{\"columns\":{\"dccdca2f-fac1-43ce-8c74-d50a8a007366\":{\"label\":\"Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.ip\",\"isBucketed\":false,\"customLabel\":true}},\"columnOrder\":[\"dccdca2f-fac1-43ce-8c74-d50a8a007366\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":9,\"i\":\"2c8d6219-3e37-47c9-bfb2-9330167ad7b8\"},\"panelIndex\":\"2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20\"},{\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\",\"id\":\"endgame-*\"}],\"state\":{\"visualization\":{\"layerId\":\"fac6e4a9-2d36-463c-b2b0-b451546f6f20\",\"accessor\":\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"detection\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.action\":\"detection\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fac6e4a9-2d36-463c-b2b0-b451546f6f20\":{\"columns\":{\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\":{\"label\":\"Alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":9,\"w\":48,\"h\":13,\"i\":\"f702b2f2-5fc3-4a29-90a6-0d0d223fd358\"},\"panelIndex\":\"f702b2f2-5fc3-4a29-90a6-0d0d223fd358\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f702b2f2-5fc3-4a29-90a6-0d0d223fd358\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":14,\"i\":\"93800440-ed84-48b6-8055-c58a5d290ec6\"},\"panelIndex\":\"93800440-ed84-48b6-8055-c58a5d290ec6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\",\"isTransposed\":false},{\"columnId\":\"b76f4623-7690-4ad3-ae68-d19b80a2361a\",\"isTransposed\":false}],\"layerId\":\"1828f449-a2e9-4ed2-a72c-e6f22382569e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1828f449-a2e9-4ed2-a72c-e6f22382569e\":{\"columns\":{\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\":{\"label\":\"Top values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false}},\"b76f4623-7690-4ad3-ae68-d19b80a2361a\":{\"label\":\"Last value of host.ip\",\"dataType\":\"ip\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.ip\",\"params\":{\"sortField\":\"@timestamp\"}}},\"columnOrder\":[\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\",\"b76f4623-7690-4ad3-ae68-d19b80a2361a\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":36,\"w\":48,\"h\":14,\"i\":\"f389ba6c-bcad-4564-aca0-e696e2981239\"},\"panelIndex\":\"f389ba6c-bcad-4564-aca0-e696e2981239\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f389ba6c-bcad-4564-aca0-e696e2981239\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":50,\"w\":48,\"h\":18,\"i\":\"1ae20b57-e5db-4e2b-b45b-51132e0892d2\"},\"panelIndex\":\"1ae20b57-e5db-4e2b-b45b-51132e0892d2\",\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"panelRefName\":\"panel_1ae20b57-e5db-4e2b-b45b-51132e0892d2\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":23,\"h\":16,\"i\":\"64991e9b-5624-4d8d-9624-3077e970068f\"},\"panelIndex\":\"64991e9b-5624-4d8d-9624-3077e970068f\",\"embeddableConfig\":{\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"842ed2f7-3fb1-4c0d-a62c-dd9d06de42da\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}},\"hidePanelTitles\":false},\"title\":\"Endgame - Network DNS Requests Chart\",\"panelRefName\":\"panel_64991e9b-5624-4d8d-9624-3077e970068f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":68,\"w\":25,\"h\":16,\"i\":\"d3b35751-4ec0-441c-a399-4c56a38ea9d3\"},\"panelIndex\":\"d3b35751-4ec0-441c-a399-4c56a38ea9d3\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"99f3c946-0494-42aa-a14f-cac5dce6757d\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View in Process Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Endgame - Processes\",\"panelRefName\":\"panel_d3b35751-4ec0-441c-a399-4c56a38ea9d3\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":84,\"w\":24,\"h\":15,\"i\":\"77406005-0714-4d8f-a535-79c693437dfe\"},\"panelIndex\":\"77406005-0714-4d8f-a535-79c693437dfe\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Auth Event Outcome\",\"panelRefName\":\"panel_77406005-0714-4d8f-a535-79c693437dfe\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":84,\"w\":24,\"h\":15,\"i\":\"79b433c6-e740-40be-8b5e-02155ee11955\"},\"panelIndex\":\"79b433c6-e740-40be-8b5e-02155ee11955\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b\"},{\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\",\"id\":\"endgame-*\"}],\"state\":{\"visualization\":{\"layerId\":\"e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"ade5af28-bac8-4a2d-adff-28580282a9d2\"},{\"isTransposed\":false,\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},{\"columnId\":\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5f77e35-1bc5-4487-9602-e2962cafa87b\":{\"columns\":{\"ade5af28-bac8-4a2d-adff-28580282a9d2\":{\"label\":\"Top values of file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}},\"e480935c-b388-48c6-9582-fb4600b462fb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bb5f0057-5e74-4baf-9839-aff53de6d145\":{\"label\":\"Top values of file.path\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.path\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}}},\"columnOrder\":[\"ade5af28-bac8-4a2d-adff-28580282a9d2\",\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"e480935c-b388-48c6-9582-fb4600b462fb\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false,\"type\":\"lens\"},\"title\":\"Endgame - File Name\",\"panelRefName\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":99,\"w\":48,\"h\":15,\"i\":\"812191d7-0fc5-4dba-8cb6-600b9e3ee15c\"},\"panelIndex\":\"812191d7-0fc5-4dba-8cb6-600b9e3ee15c\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Registry Events\",\"panelRefName\":\"panel_812191d7-0fc5-4dba-8cb6-600b9e3ee15c\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":19,\"i\":\"b4898ca9-c99e-4ea2-a269-4e60616f2a4f\"},\"panelIndex\":\"b4898ca9-c99e-4ea2-a269-4e60616f2a4f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b4898ca9-c99e-4ea2-a269-4e60616f2a4f\"}]","timeRestore":false,"title":"Endgame - Admin","version":1},"coreMigrationVersion":"7.16.2","id":"6063a9e0-61b2-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"64356467-dfe4-4eed-b53d-0cdf0b94f6d0:panel_64356467-dfe4-4eed-b53d-0cdf0b94f6d0","type":"visualization"},{"id":"e2da1340-53a3-11ec-b3ef-6bcc33056a36","name":"cc23bd7c-9000-4af9-875e-5779794011d0:panel_cc23bd7c-9000-4af9-875e-5779794011d0","type":"visualization"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"df2ef610-6a1f-11ec-864c-8b5450f97635","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3","type":"lens"},{"id":"endgame-*","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"276394f1-fa5b-42b2-ab7c-8db18bd367a3:indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7","type":"index-pattern"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"d07fce50-6a1f-11ec-864c-8b5450f97635","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8","type":"lens"},{"id":"endgame-*","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20","type":"index-pattern"},{"id":"endgame-*","name":"2c8d6219-3e37-47c9-bfb2-9330167ad7b8:filter-index-pattern-0","type":"index-pattern"},{"id":"82185ff0-696d-11ec-864c-8b5450f97635","name":"f702b2f2-5fc3-4a29-90a6-0d0d223fd358:panel_f702b2f2-5fc3-4a29-90a6-0d0d223fd358","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"03935e10-6a20-11ec-864c-8b5450f97635","name":"93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6","type":"lens"},{"id":"endgame-*","name":"93800440-ed84-48b6-8055-c58a5d290ec6:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"93800440-ed84-48b6-8055-c58a5d290ec6:indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e","type":"index-pattern"},{"id":"3ae34620-6258-11ec-864c-8b5450f97635","name":"f389ba6c-bcad-4564-aca0-e696e2981239:panel_f389ba6c-bcad-4564-aca0-e696e2981239","type":"visualization"},{"id":"de389910-6f0a-11ec-864c-8b5450f97635","name":"1ae20b57-e5db-4e2b-b45b-51132e0892d2:panel_1ae20b57-e5db-4e2b-b45b-51132e0892d2","type":"visualization"},{"id":"f30bef10-6328-11ec-864c-8b5450f97635","name":"64991e9b-5624-4d8d-9624-3077e970068f:panel_64991e9b-5624-4d8d-9624-3077e970068f","type":"lens"},{"id":"49d34770-53b2-11ec-b3ef-6bcc33056a36","name":"64991e9b-5624-4d8d-9624-3077e970068f:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:842ed2f7-3fb1-4c0d-a62c-dd9d06de42da:dashboardId","type":"dashboard"},{"id":"e2cff350-6ccc-11ec-864c-8b5450f97635","name":"d3b35751-4ec0-441c-a399-4c56a38ea9d3:panel_d3b35751-4ec0-441c-a399-4c56a38ea9d3","type":"lens"},{"id":"790991a0-6287-11ec-864c-8b5450f97635","name":"d3b35751-4ec0-441c-a399-4c56a38ea9d3:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:99f3c946-0494-42aa-a14f-cac5dce6757d:dashboardId","type":"dashboard"},{"id":"072ae530-6d6c-11ec-864c-8b5450f97635","name":"77406005-0714-4d8f-a535-79c693437dfe:panel_77406005-0714-4d8f-a535-79c693437dfe","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"676296e0-6d6d-11ec-864c-8b5450f97635","name":"79b433c6-e740-40be-8b5e-02155ee11955:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2","type":"lens"},{"id":"endgame-*","name":"79b433c6-e740-40be-8b5e-02155ee11955:indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"79b433c6-e740-40be-8b5e-02155ee11955:indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b","type":"index-pattern"},{"id":"endgame-*","name":"79b433c6-e740-40be-8b5e-02155ee11955:filter-index-pattern-0","type":"index-pattern"},{"id":"e1e12ab0-6cc5-11ec-864c-8b5450f97635","name":"812191d7-0fc5-4dba-8cb6-600b9e3ee15c:panel_812191d7-0fc5-4dba-8cb6-600b9e3ee15c","type":"lens"},{"id":"20c85b70-53aa-11ec-b3ef-6bcc33056a36","name":"b4898ca9-c99e-4ea2-a269-4e60616f2a4f:panel_b4898ca9-c99e-4ea2-a269-4e60616f2a4f","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1578],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Data Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"60925490-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,1580],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1582],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1584],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname (Tag Cloud)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1586],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Hostname","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1588],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Launch String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1590],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Company","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1592],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Signer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1594],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Autoruns - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHG1IaxQT5EBNmq4yR","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1596],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTQ5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Autoruns","version":1},"coreMigrationVersion":"7.16.2","id":"61d43810-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"bf5ab2d0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"482be9b0-6d78-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"c5d58f60-6d78-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"1cd6a970-6d79-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"df5e9e80-6d79-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"2ef9ccd0-6d7a-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"cfd94590-6d7a-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"96105ff0-6d7b-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6cf187b0-6d7c-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"dd700830-6d69-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHG1IaxQT5EBNmq4yR","name":"panel_11","type":"visualization"}],"sort":[1643385898421,1609],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category.keyword : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Event.Cat:Registry Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - Event.Cat:Registry Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"},"coreMigrationVersion":"7.16.2","id":"61f72150-6406-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1612],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTUxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1614],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Function","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"},"coreMigrationVersion":"7.16.2","id":"62449800-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1616],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"coreMigrationVersion":"7.16.2","id":"62969db0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1618],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Destination IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"62ac4060-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,1620],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"e316de92-6d8b-4ef1-8197-18b0b339413f":{"columnOrder":["7e8c9bea-75f8-4666-be0e-a3c8e96f7739"],"columns":{"7e8c9bea-75f8-4666-be0e-a3c8e96f7739":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"accessor":"7e8c9bea-75f8-4666-be0e-a3c8e96f7739","layerId":"e316de92-6d8b-4ef1-8197-18b0b339413f","layerType":"data"}},"title":"Endgame - Auth Count","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"63569670-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-e316de92-6d8b-4ef1-8197-18b0b339413f","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1625],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"63c072c0-371f-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1627],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Drilldown - Rule Signature","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1629],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Facility","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility_label: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1631],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.severity_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Syslog - Severity\"}"},"coreMigrationVersion":"7.16.2","id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1633],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTYwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":18,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":11,\"h\":18,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":27,\"y\":8,\"w\":9,\"h\":18,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":18,\"i\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\"},\"panelIndex\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":29,\"i\":\"b06c2c59-18a2-4e4c-bfc8-b4d496a89d30\"},\"panelIndex\":\"b06c2c59-18a2-4e4c-bfc8-b4d496a89d30\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Syslog","version":1},"coreMigrationVersion":"7.16.2","id":"66499a20-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"e017cb80-777b-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"9e1a4240-c77a-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,1643],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTYxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"842f61f9-afc4-44dc-a6bd-e3cc66a8827b":{"columnOrder":["2834ba67-2809-442b-b80b-4b17d3a67d43"],"columns":{"2834ba67-2809-442b-b80b-4b17d3a67d43":{"customLabel":true,"dataType":"number","isBucketed":false,"label":" ","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"accessor":"2834ba67-2809-442b-b80b-4b17d3a67d43","layerId":"842f61f9-afc4-44dc-a6bd-e3cc66a8827b","layerType":"data"}},"title":"Endgame - Alerts","visualizationType":"lnsMetric"},"coreMigrationVersion":"7.16.2","id":"668e9130-6cc1-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1647],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Query/Answer","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1649],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1651],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1653],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sensors - Sensor and Services (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,1655],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"73806f30-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1657],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Top 50 - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c0de57b0-4948-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1659],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_15\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_16\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_17\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_18\"}]","timeRestore":false,"title":"z16.04 - Indicator","version":1},"coreMigrationVersion":"7.16.2","id":"68563ed0-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"60925490-34bf-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_2","type":"visualization"},{"id":"ae1f1fb0-3648-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"d0f56da0-3648-11e7-bf60-314364dd1cde","name":"panel_4","type":"visualization"},{"id":"8ba31820-34c6-11e7-8360-0b86c90983fd","name":"panel_5","type":"visualization"},{"id":"7153e7f0-34c7-11e7-8360-0b86c90983fd","name":"panel_6","type":"visualization"},{"id":"c7eed4c0-3649-11e7-bf60-314364dd1cde","name":"panel_7","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_8","type":"visualization"},{"id":"d9096bb0-342f-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_10","type":"search"},{"id":"934fe550-6e08-11e7-9370-174c4785d3e1","name":"panel_11","type":"visualization"},{"id":"3f4abb40-6e0a-11e7-84cc-b363f104b3c7","name":"panel_12","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_13","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_14","type":"visualization"},{"id":"07fdf9e0-39ad-11e7-8472-0151e5b2b475","name":"panel_15","type":"visualization"},{"id":"9c979ea0-345b-11e7-8867-29a39c0f86b2","name":"panel_16","type":"visualization"},{"id":"73806f30-4948-11e8-9576-313be7c6b44b","name":"panel_17","type":"visualization"},{"id":"c0de57b0-4948-11e8-9576-313be7c6b44b","name":"panel_18","type":"visualization"}],"sort":[1643385898421,1679],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"coreMigrationVersion":"7.16.2","id":"689991b0-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,1681],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTcwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Source - Originator Bytes","version":1},"coreMigrationVersion":"7.16.2","id":"68f738e0-46ca-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"05809df0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"sort":[1643385898421,1684],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SNMP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SNMP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"},"coreMigrationVersion":"7.16.2","id":"690ef880-75e9-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1686],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Weird - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"691ade50-4c85-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1688],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c97cd4c0-35ba-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1690],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"710ccbf0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1692],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Success Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b31231c0-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1694],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f0178840-35bb-11e7-b9ee-834112670159","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1696],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Kerberos - Cipher (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1698],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1700],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1702],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Renewable","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bb748470-6e1a-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1704],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Kerberos - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG_UbkxQT5EBNmq4Lg","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1706],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTgyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"z16.04 - Bro - Kerberos","version":1},"coreMigrationVersion":"7.16.2","id":"6b0d4870-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"c97cd4c0-35ba-11e7-b9ee-834112670159","name":"panel_1","type":"visualization"},{"id":"452daa10-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"710ccbf0-35bb-11e7-b9ee-834112670159","name":"panel_3","type":"visualization"},{"id":"b31231c0-35bb-11e7-b9ee-834112670159","name":"panel_4","type":"visualization"},{"id":"f0178840-35bb-11e7-b9ee-834112670159","name":"panel_5","type":"visualization"},{"id":"e3fffae0-3635-11e7-a6f7-4f44d7bf1c33","name":"panel_6","type":"visualization"},{"id":"28d04080-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_7","type":"visualization"},{"id":"3f34faa0-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_8","type":"visualization"},{"id":"84f28670-3636-11e7-a6f7-4f44d7bf1c33","name":"panel_9","type":"visualization"},{"id":"f7c48a20-6e19-11e7-89e4-613b96f597e1","name":"panel_10","type":"visualization"},{"id":"4aa0b2a0-6e1a-11e7-89e4-613b96f597e1","name":"panel_11","type":"visualization"},{"id":"bb748470-6e1a-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDG_UbkxQT5EBNmq4Lg","name":"panel_13","type":"visualization"}],"sort":[1643385898421,1721],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Intel - Indicator Type (Pie)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Intel - Indicator Type (Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":24,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"},"coreMigrationVersion":"7.16.2","id":"6b109430-0e60-11eb-a255-e1e8e85e3571","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1723],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"f792f3cd-4a3c-4788-a3f8-33542035b98e":{"columnOrder":["4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1","c7495830-1f48-4613-a2a1-e9213447910f","3926249d-4707-4e24-a637-7a2b9d046856"],"columns":{"3926249d-4707-4e24-a637-7a2b9d046856":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3926249d-4707-4e24-a637-7a2b9d046856","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.user.name"},"c7495830-1f48-4613-a2a1-e9213447910f":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3926249d-4707-4e24-a637-7a2b9d046856","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"user.name"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1","isTransposed":false},{"columnId":"c7495830-1f48-4613-a2a1-e9213447910f","isTransposed":false},{"columnId":"3926249d-4707-4e24-a637-7a2b9d046856","isTransposed":false}],"layerId":"f792f3cd-4a3c-4788-a3f8-33542035b98e","layerType":"data"}},"title":"Endgame - Auth Username","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"6b3841e0-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-f792f3cd-4a3c-4788-a3f8-33542035b98e","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1728],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination Port","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6b70b840-6d75-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1730],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"4a1ec78a-56cc-4227-919e-857b47d902dd":{"columnOrder":["fb18d67e-9996-499c-95e1-0e67c91567c8","c8eeb0da-7ef2-40fa-b837-808e4e34c536","56f86bee-5b6e-42b4-92f3-563f7782aa71"],"columns":{"56f86bee-5b6e-42b4-92f3-563f7782aa71":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"c8eeb0da-7ef2-40fa-b837-808e4e34c536":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"},"fb18d67e-9996-499c-95e1-0e67c91567c8":{"dataType":"string","isBucketed":true,"label":"Top values of event.outcome","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"56f86bee-5b6e-42b4-92f3-563f7782aa71","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"event.outcome"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["56f86bee-5b6e-42b4-92f3-563f7782aa71"],"layerId":"4a1ec78a-56cc-4227-919e-857b47d902dd","layerType":"data","position":"top","seriesType":"bar_stacked","showGridlines":false,"splitAccessor":"fb18d67e-9996-499c-95e1-0e67c91567c8","xAccessor":"c8eeb0da-7ef2-40fa-b837-808e4e34c536"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_stacked","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Auth Logs Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"6f648670-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-4a1ec78a-56cc-4227-919e-857b47d902dd","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1735],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg3LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3f16332f-15b4-4f4f-8cd0-3904d1082ad9":{"columnOrder":["ac84ac59-9300-4b99-b002-b9c3bcb375d0","d449a510-00fe-4b24-bd3d-5c9d4e5fc67b"],"columns":{"ac84ac59-9300-4b99-b002-b9c3bcb375d0":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"host.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"d449a510-00fe-4b24-bd3d-5c9d4e5fc67b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"host.name"},"d449a510-00fe-4b24-bd3d-5c9d4e5fc67b":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count ","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"ac84ac59-9300-4b99-b002-b9c3bcb375d0"},{"columnId":"d449a510-00fe-4b24-bd3d-5c9d4e5fc67b"}],"layerId":"3f16332f-15b4-4f4f-8cd0-3904d1082ad9","layerType":"data"}},"title":"Endgame - Auth Hostname","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"b6bd72c0-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3f16332f-15b4-4f4f-8cd0-3904d1082ad9","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1740],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg4LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"67aa62dc-542c-4302-b7ca-3f58dcae48bc":{"columnOrder":["c6c215da-4e22-4969-b00a-fb6a0a85eac3","5f851d2a-ab05-4075-9aa3-8d73eb2d0d08"],"columns":{"5f851d2a-ab05-4075-9aa3-8d73eb2d0d08":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"c6c215da-4e22-4969-b00a-fb6a0a85eac3":{"dataType":"string","isBucketed":true,"label":"Top values of event.action","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"5f851d2a-ab05-4075-9aa3-8d73eb2d0d08","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.action"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["c6c215da-4e22-4969-b00a-fb6a0a85eac3"],"layerId":"67aa62dc-542c-4302-b7ca-3f58dcae48bc","layerType":"data","legendDisplay":"default","metric":"5f851d2a-ab05-4075-9aa3-8d73eb2d0d08","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - Auth Event Action (Donut)","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"d3e6cf90-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-67aa62dc-542c-4302-b7ca-3f58dcae48bc","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1745],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTg5LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"d00a9d6e-a40e-4051-9999-946bca8cc10a":{"columnOrder":["2ff29508-b249-4b8b-8472-7b287d1a458d","4fbce0f5-b26d-4996-a04a-8f28c03e85e1"],"columns":{"2ff29508-b249-4b8b-8472-7b287d1a458d":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.action","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4fbce0f5-b26d-4996-a04a-8f28c03e85e1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.action"},"4fbce0f5-b26d-4996-a04a-8f28c03e85e1":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"authentication"},"type":"phrase"},"query":{"match_phrase":{"event.category":"authentication"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"2ff29508-b249-4b8b-8472-7b287d1a458d"},{"columnId":"4fbce0f5-b26d-4996-a04a-8f28c03e85e1"}],"layerId":"d00a9d6e-a40e-4051-9999-946bca8cc10a","layerType":"data"}},"title":"Endgame - Auth Event Action","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"c9b17020-6d6b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-d00a9d6e-a40e-4051-9999-946bca8cc10a","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1750],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTkwLDE1XQ=="} -{"attributes":{"columns":["host.hostname","user.name","host.ip"],"description":"","grid":{},"hideChart":false,"hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"authentication\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Endgame - Authentication Search","version":1},"coreMigrationVersion":"7.16.2","id":"7a1fc780-6f07-11ec-864c-8b5450f97635","migrationVersion":{"search":"7.9.3"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"}],"sort":[1643385898421,1753],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTkxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":10,\"i\":\"16f743b7-687e-43ce-86a5-3ad5c607c1fe\"},\"panelIndex\":\"16f743b7-687e-43ce-86a5-3ad5c607c1fe\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_16f743b7-687e-43ce-86a5-3ad5c607c1fe\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":14,\"h\":10,\"i\":\"b9a19eb1-8a99-4ba7-89e5-7176371c1365\"},\"panelIndex\":\"b9a19eb1-8a99-4ba7-89e5-7176371c1365\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Count\",\"panelRefName\":\"panel_b9a19eb1-8a99-4ba7-89e5-7176371c1365\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":10,\"i\":\"f16a41be-56eb-4852-b44c-7303c89b3332\"},\"panelIndex\":\"f16a41be-56eb-4852-b44c-7303c89b3332\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Username\",\"panelRefName\":\"panel_f16a41be-56eb-4852-b44c-7303c89b3332\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"dc68201b-bd8a-4fe9-9009-68fe91013c9f\"},\"panelIndex\":\"dc68201b-bd8a-4fe9-9009-68fe91013c9f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Logs Over Time\",\"panelRefName\":\"panel_dc68201b-bd8a-4fe9-9009-68fe91013c9f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":10,\"i\":\"c394186d-2848-42bf-a521-7ba497a3b3b6\"},\"panelIndex\":\"c394186d-2848-42bf-a521-7ba497a3b3b6\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Hostname\",\"panelRefName\":\"panel_c394186d-2848-42bf-a521-7ba497a3b3b6\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":20,\"w\":24,\"h\":15,\"i\":\"c08e4616-5f26-4b6a-aa37-9c6a5e27d739\"},\"panelIndex\":\"c08e4616-5f26-4b6a-aa37-9c6a5e27d739\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[]}}},\"title\":\"Endgame - Auth Event Action (Donut)\",\"panelRefName\":\"panel_c08e4616-5f26-4b6a-aa37-9c6a5e27d739\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":24,\"h\":10,\"i\":\"d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\"},\"panelIndex\":\"d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Event Action\",\"panelRefName\":\"panel_d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":35,\"w\":48,\"h\":15,\"i\":\"aa35ad44-a937-4fa6-9444-7bcb1922a167\"},\"panelIndex\":\"aa35ad44-a937-4fa6-9444-7bcb1922a167\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Auth Event Outcome\",\"panelRefName\":\"panel_aa35ad44-a937-4fa6-9444-7bcb1922a167\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":50,\"w\":48,\"h\":18,\"i\":\"ffffbd7a-71f4-4977-bdf2-cad011e281c4\"},\"panelIndex\":\"ffffbd7a-71f4-4977-bdf2-cad011e281c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ffffbd7a-71f4-4977-bdf2-cad011e281c4\"}]","timeRestore":false,"title":"Endgame - Authentication","version":1},"coreMigrationVersion":"7.16.2","id":"6c5aaff0-63f6-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"16f743b7-687e-43ce-86a5-3ad5c607c1fe:panel_16f743b7-687e-43ce-86a5-3ad5c607c1fe","type":"visualization"},{"id":"63569670-6d6b-11ec-864c-8b5450f97635","name":"b9a19eb1-8a99-4ba7-89e5-7176371c1365:panel_b9a19eb1-8a99-4ba7-89e5-7176371c1365","type":"lens"},{"id":"6b3841e0-6d6b-11ec-864c-8b5450f97635","name":"f16a41be-56eb-4852-b44c-7303c89b3332:panel_f16a41be-56eb-4852-b44c-7303c89b3332","type":"lens"},{"id":"6f648670-6d6b-11ec-864c-8b5450f97635","name":"dc68201b-bd8a-4fe9-9009-68fe91013c9f:panel_dc68201b-bd8a-4fe9-9009-68fe91013c9f","type":"lens"},{"id":"b6bd72c0-6d6b-11ec-864c-8b5450f97635","name":"c394186d-2848-42bf-a521-7ba497a3b3b6:panel_c394186d-2848-42bf-a521-7ba497a3b3b6","type":"lens"},{"id":"d3e6cf90-6d6b-11ec-864c-8b5450f97635","name":"c08e4616-5f26-4b6a-aa37-9c6a5e27d739:panel_c08e4616-5f26-4b6a-aa37-9c6a5e27d739","type":"lens"},{"id":"c9b17020-6d6b-11ec-864c-8b5450f97635","name":"d7b3a140-a1a5-48d4-82a5-a84dc3a0285a:panel_d7b3a140-a1a5-48d4-82a5-a84dc3a0285a","type":"lens"},{"id":"072ae530-6d6c-11ec-864c-8b5450f97635","name":"aa35ad44-a937-4fa6-9444-7bcb1922a167:panel_aa35ad44-a937-4fa6-9444-7bcb1922a167","type":"lens"},{"id":"7a1fc780-6f07-11ec-864c-8b5450f97635","name":"ffffbd7a-71f4-4977-bdf2-cad011e281c4:panel_ffffbd7a-71f4-4977-bdf2-cad011e281c4","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1764],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,1766],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1768],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1770],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Sysmon - Event ID (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e09f6010-6d72-11e7-b09b-f57b22df6524","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1772],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Sysmon - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHHk1sxQT5EBNmq43Y","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"search_0","type":"search"}],"sort":[1643385898421,1774],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"sort":[1643385898421,1787],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1789],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MTk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"coreMigrationVersion":"7.16.2","id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1791],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjAwLDE1XQ=="} -{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"securitySolution:defaultIndex":["apm-*-transaction*","traces-apm*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","winlogbeat-*","*:so-*"],"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.16.2","id":"7.16.2","migrationVersion":{"config":"7.13.0"},"references":[],"sort":[1643385898421,1792],"type":"config","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1794],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1796],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjAzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"coreMigrationVersion":"7.16.2","id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"sort":[1643385898421,1805],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Change Stats","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"},"coreMigrationVersion":"7.16.2","id":"71538370-18d5-11e9-932c-d12d2cf4ee95","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"sort":[1643385898421,1807],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Total Bytes Per Source/Destination IP Pair","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"},"coreMigrationVersion":"7.16.2","id":"726cc040-48cf-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1809],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - File Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1811],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Log Type Per Sensor/Device","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"733ce440-494d-11e8-9576-313be7c6b44b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1813],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Signing Algorithm","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"},"coreMigrationVersion":"7.16.2","id":"738127f0-37d7-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1815],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Command","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d3435690-755f-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1817],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - User","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"},"coreMigrationVersion":"7.16.2","id":"8346bc70-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1819],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjExLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FTP - Password","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"},"coreMigrationVersion":"7.16.2","id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1821],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjEyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":28,\"i\":\"c57349cc-4699-4d52-b386-14e1d1260c87\"},\"panelIndex\":\"c57349cc-4699-4d52-b386-14e1d1260c87\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - FTP","version":1},"coreMigrationVersion":"7.16.2","id":"739bfad0-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"d3435690-755f-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"5fcdb0c0-755f-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8346bc70-7561-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"bc3e2bd0-7561-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,1832],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"From\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"73b1b240-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1834],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"73f663f0-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1836],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Phishing Attempts Against Organizational Domain(s)","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}","version":1,"visState":"{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"74861280-6f06-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1838],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Cookie","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"75597b60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1840],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"781447d0-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1842],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Intel - Indicator Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Intel - Indicator Type (Donut)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":24,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"},"coreMigrationVersion":"7.16.2","id":"78185810-0e61-11eb-a255-e1e8e85e3571","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1844],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjE5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"osquery - Chrome Extensions - Sensitive Permissions","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"},"coreMigrationVersion":"7.16.2","id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"040dda10-18d8-11e9-932c-d12d2cf4ee95","name":"search_0","type":"search"}],"sort":[1643385898421,1846],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjIwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"MySQL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHBRrrxQT5EBNmq4TI","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1848],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Response","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1850],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1852],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjIzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"z16.04 - Bro - MySQL","version":1},"coreMigrationVersion":"7.16.2","id":"7929f430-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"5d9031a0-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"07e25650-3812-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"5d624230-342e-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"},{"id":"AWDHBRrrxQT5EBNmq4TI","name":"panel_4","type":"visualization"},{"id":"9c411ad0-4a58-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"c48925a0-4a58-11e8-9b0a-f1d33346f773","name":"panel_6","type":"visualization"}],"sort":[1643385898421,1860],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - FIle - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1862],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Client Version","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1864],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1866],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"HTTP - Virtual Host Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1868],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - Authentication Sucess","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"coreMigrationVersion":"7.16.2","id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1870],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1872],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjMwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Machine","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7de76e10-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1874],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjMxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Highest Registered Domain Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1876],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjMyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1878],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a6df8820-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1880],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"db04aef0-399f-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1882],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS Alerts - Severity (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1884],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alerts By Country (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1886],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG3ym0xQT5EBNmq3mG","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1888],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Alert Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1890],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjM5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"NIDS - Classification","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1892],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - NIDS","version":1},"coreMigrationVersion":"7.16.2","id":"7f27a830-34e5-11e7-9669-7f1d3242b798","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"a6df8820-399f-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"db04aef0-399f-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_5","type":"visualization"},{"id":"ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"45464b50-3af6-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"81de16f0-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_8","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_9","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_11","type":"visualization"},{"id":"d66d54c0-4c89-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"sort":[1643385898421,1906],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"7da5ad1e-8383-4383-9a2c-dfa2fc91eea5":{"columnOrder":["0592df0d-869f-422f-ba64-848d9e3b5e66","a451bb62-c37e-4924-9c6a-fea87810af73","0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1"],"columns":{"0592df0d-869f-422f-ba64-848d9e3b5e66":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Logs Over Time By Top 10 Hosts","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"host.name"},"0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"a451bb62-c37e-4924-9c6a-fea87810af73":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"accessors":["0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1"],"layerId":"7da5ad1e-8383-4383-9a2c-dfa2fc91eea5","layerType":"data","position":"top","seriesType":"line","showGridlines":false,"splitAccessor":"0592df0d-869f-422f-ba64-848d9e3b5e66","xAccessor":"a451bb62-c37e-4924-9c6a-fea87810af73"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"line","title":"Empty XY chart","valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Logs Over Time By Top 10 Hosts","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"7f34e6e0-624d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-7da5ad1e-8383-4383-9a2c-dfa2fc91eea5","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,1910],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination - Top Connection Duration (Tile Map)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"7f7492d0-46c4-11e7-a82e-d97152153689","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1912],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - MAC","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"},"coreMigrationVersion":"7.16.2","id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1914],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Requested Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1916],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Assigned Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1918],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"87dce718-7595-4bb0-b1be-b2f51518f026\"},\"panelIndex\":\"87dce718-7595-4bb0-b1be-b2f51518f026\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":29,\"i\":\"4f1bdb3c-15b5-4d72-bc4f-96a266423272\"},\"panelIndex\":\"4f1bdb3c-15b5-4d72-bc4f-96a266423272\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - DHCP","version":1},"coreMigrationVersion":"7.16.2","id":"80625c10-96dd-11ea-814e-bb515e873c2c","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_3","type":"visualization"},{"id":"9a693c50-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_4","type":"visualization"},{"id":"cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0","name":"panel_5","type":"visualization"},{"id":"2af5f980-96e2-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"36200e40-c76b-11ea-bebb-37c5ab5894ea","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,1928],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"PE - Subsystem (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1930],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - Subsytem","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.subsystem.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subsystem\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Subsytem\"}"},"coreMigrationVersion":"7.16.2","id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1932],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"},"coreMigrationVersion":"7.16.2","id":"80aa0c60-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1934],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Rule - SID","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1936],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjUxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":8,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":8,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":19,\"y\":8,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":19,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":19,\"y\":28,\"w\":19,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":28,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":48,\"h\":20,\"i\":\"b7ad7fb7-60d2-4a1c-b71a-c438626507af\"},\"panelIndex\":\"b7ad7fb7-60d2-4a1c-b71a-c438626507af\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Alerts - Suricata","version":1},"coreMigrationVersion":"7.16.2","id":"81057f40-7733-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a37b9fa0-72b0-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"visualization"},{"id":"a47ffc70-96f0-11ea-814e-bb515e873c2c","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,1948],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Response From","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"},"coreMigrationVersion":"7.16.2","id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1950],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8261cf00-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1952],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SNMP - Community String","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"},"coreMigrationVersion":"7.16.2","id":"83a91450-4c79-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1954],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Data Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"},"coreMigrationVersion":"7.16.2","id":"8491c4b0-6eab-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,1956],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1958],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG80RwxQT5EBNmq38x","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1960],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Message Types","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a88e1020-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1962],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DHCP - Domain Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ce859b40-0edb-11e9-9846-59f545e7293f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1964],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjYwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - DHCP","version":1},"coreMigrationVersion":"7.16.2","id":"85348270-357b-11e7-ac34-8965f6420c51","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"e9a7fe80-357b-11e7-ac34-8965f6420c51","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"1055ada0-3655-11e7-baa7-b7de4ee40605","name":"panel_2","type":"visualization"},{"id":"317f8410-3655-11e7-baa7-b7de4ee40605","name":"panel_3","type":"visualization"},{"id":"AWDG80RwxQT5EBNmq38x","name":"panel_4","type":"visualization"},{"id":"4e877100-4a48-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"ac1799d0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"58c84f60-0edb-11e9-9846-59f545e7293f","name":"panel_7","type":"visualization"},{"id":"a88e1020-0edb-11e9-9846-59f545e7293f","name":"panel_8","type":"visualization"},{"id":"ce859b40-0edb-11e9-9846-59f545e7293f","name":"panel_9","type":"visualization"}],"sort":[1643385898421,1975],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjYxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Intel - Indicator","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Intel - Indicator\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true,\"showToolbar\":true}}"},"coreMigrationVersion":"7.16.2","id":"db8c57c0-0e5c-11eb-a255-e1e8e85e3571","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1977],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Intel - Source","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Intel - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.sources.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true}}"},"coreMigrationVersion":"7.16.2","id":"b4222d00-0e60-11eb-a255-e1e8e85e3571","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1979],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Intel - Seen Where","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Intel - Seen Where\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.seen_where.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Seen Where\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true}}"},"coreMigrationVersion":"7.16.2","id":"ec57d300-0e60-11eb-a255-e1e8e85e3571","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1981],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:intel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a9613b03-8b84-4149-9dfa-5b059c1e0e70\"},\"panelIndex\":\"a9613b03-8b84-4149-9dfa-5b059c1e0e70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":9,\"i\":\"77e957c4-13ac-480c-b799-0bd39559781b\"},\"panelIndex\":\"77e957c4-13ac-480c-b799-0bd39559781b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":9,\"i\":\"722a0294-a47b-4cd1-85c0-37f9933552c5\"},\"panelIndex\":\"722a0294-a47b-4cd1-85c0-37f9933552c5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":21,\"i\":\"a008c6c0-0e76-4dc6-802b-72d68ad0c10d\"},\"panelIndex\":\"a008c6c0-0e76-4dc6-802b-72d68ad0c10d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":21,\"i\":\"0adce98b-c9e8-469b-8cac-fb4ceb35b68a\"},\"panelIndex\":\"0adce98b-c9e8-469b-8cac-fb4ceb35b68a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":20,\"y\":9,\"w\":13,\"h\":21,\"i\":\"2b95ef19-525e-4659-8ab3-67cb0e9dc41a\"},\"panelIndex\":\"2b95ef19-525e-4659-8ab3-67cb0e9dc41a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"bde38fe7-9aec-4e19-b9fe-035ee6a66ef7\"},\"panelIndex\":\"bde38fe7-9aec-4e19-b9fe-035ee6a66ef7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":15,\"i\":\"2fa3b43b-f3b3-4eeb-8f32-1a3f2ccfc6c0\"},\"panelIndex\":\"2fa3b43b-f3b3-4eeb-8f32-1a3f2ccfc6c0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":15,\"i\":\"79c4ec17-8411-49d8-82af-6921a321dd3b\"},\"panelIndex\":\"79c4ec17-8411-49d8-82af-6921a321dd3b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":34,\"i\":\"779d2461-4d8a-4254-b380-26650a52a026\"},\"panelIndex\":\"779d2461-4d8a-4254-b380-26650a52a026\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Intel","version":1},"coreMigrationVersion":"7.16.2","id":"85b529a0-0e5a-11eb-a255-e1e8e85e3571","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db8c57c0-0e5c-11eb-a255-e1e8e85e3571","name":"panel_5","type":"visualization"},{"id":"b4222d00-0e60-11eb-a255-e1e8e85e3571","name":"panel_6","type":"visualization"},{"id":"6b109430-0e60-11eb-a255-e1e8e85e3571","name":"panel_7","type":"visualization"},{"id":"ec57d300-0e60-11eb-a255-e1e8e85e3571","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,1992],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,1994],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Status (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"869e3030-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,1996],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Modbus - Exception","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"},"coreMigrationVersion":"7.16.2","id":"93cdb730-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,1998],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"c4d3c93a-746f-4edc-835c-66f1380fc5d4\"},\"panelIndex\":\"c4d3c93a-746f-4edc-835c-66f1380fc5d4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Modbus","version":1},"coreMigrationVersion":"7.16.2","id":"886a7b90-75bd-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"62449800-75be-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"93cdb730-75be-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2007],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2009],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjcwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"PE - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHCUeZxQT5EBNmq4Xy","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2011],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjcxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - PE","version":1},"coreMigrationVersion":"7.16.2","id":"8a10e380-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"9cffd160-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"45c4ae10-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"807da390-380c-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"66288140-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"4e56b4d0-416f-11e7-9850-b78558d0ac17","name":"panel_5","type":"visualization"},{"id":"7de76e10-6e1f-11e7-b553-7f80727663c1","name":"panel_6","type":"visualization"},{"id":"AWDHCUeZxQT5EBNmq4Xy","name":"panel_7","type":"visualization"}],"sort":[1643385898421,2020],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8a60eb50-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2022],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSH - HASSH","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2024],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc0LDE1XQ=="} -{"attributes":{"description":"based on the Endgame - Categories with Full Event Type viz, modded by rlp 20211220","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - Event Categories","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}","version":1,"visState":"{\"title\":\"Endgame - Event Categories\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"event.category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"},"coreMigrationVersion":"7.16.2","id":"8b3bb5c0-61af-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2027],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"129a936c-78f7-4b8a-91a7-712c80565727":{"columnOrder":["4335200b-f044-42ae-88fb-5a21866cebe0","b9c21cd1-839b-4e12-b602-b834e52e378e","4c86d61d-2f88-4bfc-b2be-474179593cba"],"columns":{"4335200b-f044-42ae-88fb-5a21866cebe0":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"type","operationType":"terms","params":{"missingBucket":true,"orderBy":{"columnId":"4c86d61d-2f88-4bfc-b2be-474179593cba","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"type"},"4c86d61d-2f88-4bfc-b2be-474179593cba":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"b9c21cd1-839b-4e12-b602-b834e52e378e":{"customLabel":true,"dataType":"ip","isBucketed":true,"label":"host.ip","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"4c86d61d-2f88-4bfc-b2be-474179593cba","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.ip"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"registry"},"type":"phrase"},"query":{"match_phrase":{"event.category":"registry"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"4335200b-f044-42ae-88fb-5a21866cebe0","isTransposed":false},{"columnId":"b9c21cd1-839b-4e12-b602-b834e52e378e","isTransposed":false},{"columnId":"4c86d61d-2f88-4bfc-b2be-474179593cba","isTransposed":false}],"layerId":"129a936c-78f7-4b8a-91a7-712c80565727","layerType":"data"}},"title":"Endgame - Registry Type","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"8d1f99e0-6e45-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-129a936c-78f7-4b8a-91a7-712c80565727","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2032],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3b6026b4-9c36-4fbc-9f90-bd5580303bea":{"columnOrder":["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721","ff0a89b4-427d-4739-bb83-86794a1f4289"],"columns":{"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289","type":"column"},"orderDirection":"desc","otherBucket":true,"size":20},"scale":"ordinal","sourceField":"user.name"},"ff0a89b4-427d-4739-bb83-86794a1f4289":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.kind : \"alert\" "},"visualization":{"columns":[{"columnId":"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"},{"columnId":"ff0a89b4-427d-4739-bb83-86794a1f4289"}],"layerId":"3b6026b4-9c36-4fbc-9f90-bd5580303bea","layerType":"data"}},"title":"Endgame - Alerted Users","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"8da24210-6cbe-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2036],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Notice Generated (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2038],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Client Build","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"},"coreMigrationVersion":"7.16.2","id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2040],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjc5LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"367cf35f-001a-4014-acc6-677bc504a945":{"columnOrder":["6170616f-f2d9-47b9-8bdd-aeb746b4b2cb","217236ba-3def-46da-8aa0-3c41d3484a50"],"columns":{"217236ba-3def-46da-8aa0-3c41d3484a50":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"6170616f-f2d9-47b9-8bdd-aeb746b4b2cb":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"event.type","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"217236ba-3def-46da-8aa0-3c41d3484a50","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.type"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"file"},"type":"phrase"},"query":{"match_phrase":{"event.category":"file"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"6170616f-f2d9-47b9-8bdd-aeb746b4b2cb"},{"columnId":"217236ba-3def-46da-8aa0-3c41d3484a50"}],"layerId":"367cf35f-001a-4014-acc6-677bc504a945","layerType":"data"}},"title":"Endgame - File Event Type","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"8f2285f0-6d6d-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-367cf35f-001a-4014-acc6-677bc504a945","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2045],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2047],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjgxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Files - MIME Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"},"coreMigrationVersion":"7.16.2","id":"8fb3c480-75f2-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2049],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"All Sensors - Log Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"},"coreMigrationVersion":"7.16.2","id":"901bda80-a83f-11e7-893a-1b88920b2837","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"search_0","type":"search"}],"sort":[1643385898421,2051],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2053],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2055],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2057],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"b0456970-6e1f-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2059],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RADIUS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHCgWzxQT5EBNmq4Y5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2061],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RADIUS - Username","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2063],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjg5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"z16.04 - Bro - RADIUS","version":1},"coreMigrationVersion":"7.16.2","id":"90b246c0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"ccb3e270-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"b48442b0-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"cea78b70-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"10cd7190-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"5df79fe0-3809-11e7-a1cc-ebc6a7e70e84","name":"panel_5","type":"visualization"},{"id":"75545310-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"b0456970-6e1f-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"AWDHCgWzxQT5EBNmq4Y5","name":"panel_8","type":"visualization"},{"id":"e827bab0-4a5a-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"},{"id":"30348db0-4a5b-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"sort":[1643385898421,2075],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjkwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SIP - Destination Country (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2077],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"},"title":"Security Onion - Rule - ID","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"},"coreMigrationVersion":"7.16.2","id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2079],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count Over Time","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,2081],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MjkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2083],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\"},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":15,\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\"},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\"},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\"},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":7,\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\"},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":15,\"y\":8,\"w\":8,\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\"},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\"},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":20,\"i\":\"38bc9e98-7934-4d1b-89fa-1b57765086c3\"},\"panelIndex\":\"38bc9e98-7934-4d1b-89fa-1b57765086c3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Host","version":1},"coreMigrationVersion":"7.16.2","id":"92e63cc0-6ec0-11ea-9266-1fd14ca6af34","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"f03402e0-72bc-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"758187b0-72bd-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"a866be10-0e45-11eb-a255-e1e8e85e3571","name":"panel_7","type":"search"}],"sort":[1643385898421,2092],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"930b1600-3753-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2094],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"365259e4-659e-4950-8e82-b8d8fc7fadca\"},\"panelIndex\":\"365259e4-659e-4950-8e82-b8d8fc7fadca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Wazuh","version":1},"coreMigrationVersion":"7.16.2","id":"9480f190-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"91bd9990-7737-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"407784f0-7738-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"a866be10-0e45-11eb-a255-e1e8e85e3571","name":"panel_8","type":"search"}],"sort":[1643385898421,2104],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Total Number of Logs","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDGyaGxxQT5EBNmq3K9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2106],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Sensors - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDGzmzcxQT5EBNmq3Sj","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2108],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mjk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Devices - Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG0UDvxQT5EBNmq3WD","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2110],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzAwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"panelIndex\":\"33\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"panelIndex\":\"34\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"panelIndex\":\"35\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"panelIndex\":\"36\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"panelIndex\":\"37\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"panelIndex\":\"38\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"panelIndex\":\"39\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"panelIndex\":\"40\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"panelIndex\":\"41\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"z16.04 - Overview","version":1},"coreMigrationVersion":"7.16.2","id":"94b52620-342a-11e7-9d52-4f090484f59e","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_1","type":"search"},{"id":"1c2aeb50-365e-11e7-b896-5bdd6bfa1561","name":"panel_2","type":"visualization"},{"id":"277f3250-4161-11e7-8493-51634b0a4565","name":"panel_3","type":"visualization"},{"id":"901bda80-a83f-11e7-893a-1b88920b2837","name":"panel_4","type":"visualization"},{"id":"5b3988c0-a840-11e7-893a-1b88920b2837","name":"panel_5","type":"visualization"},{"id":"AWDGyaGxxQT5EBNmq3K9","name":"panel_6","type":"visualization"},{"id":"AWDGzmzcxQT5EBNmq3Sj","name":"panel_7","type":"visualization"},{"id":"AWDG0UDvxQT5EBNmq3WD","name":"panel_8","type":"visualization"},{"id":"AWDG1uC-xQT5EBNmq3dP","name":"panel_9","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_10","type":"visualization"},{"id":"AWDG4pcDxQT5EBNmq3pi","name":"panel_11","type":"visualization"},{"id":"733ce440-494d-11e8-9576-313be7c6b44b","name":"panel_12","type":"visualization"},{"id":"2a949080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_13","type":"visualization"},{"id":"96c2cf10-4a3d-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"ee0ba080-4a3d-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"sort":[1643385898421,2127],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - PE - OS","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.os.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"OS\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - OS\"}"},"coreMigrationVersion":"7.16.2","id":"b449a870-c762-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2129],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzAyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:pe\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\"},\"panelIndex\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":12,\"h\":9,\"i\":\"94db978d-70ba-4ade-a680-1297961aa832\"},\"panelIndex\":\"94db978d-70ba-4ade-a680-1297961aa832\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":9,\"i\":\"8973a749-ddc9-4476-8946-280e748da61e\"},\"panelIndex\":\"8973a749-ddc9-4476-8946-280e748da61e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":18,\"i\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\"},\"panelIndex\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":9,\"w\":15,\"h\":18,\"i\":\"b9da8481-6781-4431-83de-c51834199de7\"},\"panelIndex\":\"b9da8481-6781-4431-83de-c51834199de7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":10,\"h\":18,\"i\":\"ceba5670-4f26-411e-a19a-e130cf715228\"},\"panelIndex\":\"ceba5670-4f26-411e-a19a-e130cf715228\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\"},\"panelIndex\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"767dc27a-2b54-4360-bb34-c1a41528ad25\"},\"panelIndex\":\"767dc27a-2b54-4360-bb34-c1a41528ad25\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - PE","version":1},"coreMigrationVersion":"7.16.2","id":"94b55b90-c761-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"80a39cb0-c762-11ea-bebb-37c5ab5894ea","name":"panel_3","type":"visualization"},{"id":"b449a870-c762-11ea-bebb-37c5ab5894ea","name":"panel_4","type":"visualization"},{"id":"07419650-c763-11ea-bebb-37c5ab5894ea","name":"panel_5","type":"visualization"},{"id":"282bf2c0-c763-11ea-bebb-37c5ab5894ea","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2138],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzAzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\"},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\"},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\"},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\"},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\"},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\"},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\"},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"db2dff22-e4c1-41ea-a07d-8c0b0080cb04\"},\"panelIndex\":\"db2dff22-e4c1-41ea-a07d-8c0b0080cb04\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - SNMP","version":1},"coreMigrationVersion":"7.16.2","id":"96522610-75e8-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"424ace90-75e9-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"690ef880-75e9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2147],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - \"To\" Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"96767400-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2149],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2151],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2153],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Keyboard Layout (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"},"coreMigrationVersion":"7.16.2","id":"be7637c0-371c-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2155],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Result (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c4f37d70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2157],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"RDP - Encryption Level (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ef307a70-6e20-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2159],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RDP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHCvBexQT5EBNmq4aK","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2161],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzExLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - Bro - RDP","version":1},"coreMigrationVersion":"7.16.2","id":"97f8c3a0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"fd549d70-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"823dd600-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"f9a16c80-371b-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"0b9dea80-371c-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"19dfd180-371c-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"524e13b0-371c-11e7-90f8-87842d5eedc9","name":"panel_6","type":"visualization"},{"id":"75597b60-371c-11e7-90f8-87842d5eedc9","name":"panel_7","type":"visualization"},{"id":"8e18ee60-371c-11e7-90f8-87842d5eedc9","name":"panel_8","type":"visualization"},{"id":"be7637c0-371c-11e7-90f8-87842d5eedc9","name":"panel_9","type":"visualization"},{"id":"c4f37d70-6e20-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"ef307a70-6e20-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"AWDHCvBexQT5EBNmq4aK","name":"panel_12","type":"visualization"}],"sort":[1643385898421,2175],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzEyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2177],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"9a54f150-366e-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2179],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE0LDE1XQ=="} -{"attributes":{"columns":["source_ip","name","software_type"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Software - Logs","version":1},"coreMigrationVersion":"7.16.2","id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","migrationVersion":{"search":"7.9.3"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2181],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Software - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2183],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2185],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"params\":{\"query\":0},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"],\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"z16.04 - osquery - Overview","version":1},"coreMigrationVersion":"7.16.2","id":"9d0e2da0-14e1-11e9-82f7-0da02d93a48b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"84116380-14e1-11e9-82f7-0da02d93a48b","name":"panel_1","type":"search"},{"id":"2f556c90-14e3-11e9-82f7-0da02d93a48b","name":"panel_2","type":"visualization"},{"id":"369e16e0-14e4-11e9-82f7-0da02d93a48b","name":"panel_3","type":"visualization"},{"id":"05a5ed10-14e4-11e9-82f7-0da02d93a48b","name":"panel_4","type":"visualization"}],"sort":[1643385898421,2193],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source Ports","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9d3413c0-6ea0-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2195],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzE5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"3d4c3a76-579f-494d-b87c-d594fea44d83\"},\"panelIndex\":\"3d4c3a76-579f-494d-b87c-d594fea44d83\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - SSH","version":1},"coreMigrationVersion":"7.16.2","id":"9dfd77e0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"292b1db0-75ea-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"46221fe0-75ea-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"7d61f430-75ea-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"104a4a90-75eb-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8afa5f50-75eb-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,2207],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzIwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Endpoint","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a427d6e0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2209],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzIxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Named Pipe","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c2f21270-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2211],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DCE/RPC - Operation","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"},"coreMigrationVersion":"7.16.2","id":"df7989f0-96db-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2213],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzIzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":48,\"h\":29,\"i\":\"f360db9a-9572-4b67-8be4-6f53084940a3\"},\"panelIndex\":\"f360db9a-9572-4b67-8be4-6f53084940a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - DCE/RPC","version":1},"coreMigrationVersion":"7.16.2","id":"9e882df0-72c5-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"a427d6e0-96db-11ea-814e-bb515e873c2c","name":"panel_5","type":"visualization"},{"id":"c2f21270-96db-11ea-814e-bb515e873c2c","name":"panel_6","type":"visualization"},{"id":"df7989f0-96db-11ea-814e-bb515e873c2c","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,2223],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI0LDE1XQ=="} -{"attributes":{"columns":["_source"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"Security Onion - Osquery","version":1},"coreMigrationVersion":"7.16.2","id":"9eed5fc0-afcb-11ea-b262-353d451b125b","migrationVersion":{"search":"7.9.3"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2225],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2227],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2229],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d6ec3570-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2231],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e8982270-6e21-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2233],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Authentication Method (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c24191f0-6e22-11e7-b553-7f80727663c1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2235],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzMwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"RFB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHC8iGxQT5EBNmq4bs","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2237],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzMxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"z16.04 - Bro - RFB","version":1},"coreMigrationVersion":"7.16.2","id":"9ef20ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"265a04d0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"869e3030-371e-11e7-90f8-87842d5eedc9","name":"panel_2","type":"visualization"},{"id":"bf47f4c0-371e-11e7-90f8-87842d5eedc9","name":"panel_3","type":"visualization"},{"id":"14274040-371f-11e7-90f8-87842d5eedc9","name":"panel_4","type":"visualization"},{"id":"63c072c0-371f-11e7-90f8-87842d5eedc9","name":"panel_5","type":"visualization"},{"id":"8ba53710-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"bbbe5a80-6e21-11e7-b553-7f80727663c1","name":"panel_7","type":"visualization"},{"id":"d6ec3570-6e21-11e7-b553-7f80727663c1","name":"panel_8","type":"visualization"},{"id":"e8982270-6e21-11e7-b553-7f80727663c1","name":"panel_9","type":"visualization"},{"id":"4fade7b0-6e22-11e7-b553-7f80727663c1","name":"panel_10","type":"visualization"},{"id":"7c1e3f70-6e22-11e7-b553-7f80727663c1","name":"panel_11","type":"visualization"},{"id":"c24191f0-6e22-11e7-b553-7f80727663c1","name":"panel_12","type":"visualization"},{"id":"AWDHC8iGxQT5EBNmq4bs","name":"panel_13","type":"visualization"}],"sort":[1643385898421,2252],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzMyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Content Type","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2254],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"title":"Help","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"},"coreMigrationVersion":"7.16.2","id":"AV6-PHKnDwoBUzALqJ_c","migrationVersion":{"visualization":"7.14.0"},"references":[],"sort":[1643385898421,2255],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"z16.04 - Help","version":1},"coreMigrationVersion":"7.16.2","id":"AV6-POJSDwoBUzALqKAg","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"AV6-PHKnDwoBUzALqJ_c","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"sort":[1643385898421,2258],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Issuer Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2260],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"SSL - Certificate Server Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2262],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Common Name Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2264],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2266],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzM5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"X.509 - Certificate Issuer Organization Frequency Analysis","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2268],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"DNS - Parent Domain Frequency Analysis","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2270],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"z16.04 - Frequency Analysis","version":1},"coreMigrationVersion":"7.16.2","id":"AWAi5k4jAvKNGEbUWFis","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f1f00a0-6f04-11e7-b253-211f64f37eda","name":"panel_0","type":"visualization"},{"id":"7d1ede50-6f19-11e7-86c8-a1b6db3b051a","name":"panel_1","type":"visualization"},{"id":"8fa702e0-6f0b-11e7-9d31-23c0596994a7","name":"panel_2","type":"visualization"},{"id":"a83f17c0-6f0b-11e7-9d31-23c0596994a7","name":"panel_3","type":"visualization"},{"id":"c2e54c20-6f0b-11e7-9d31-23c0596994a7","name":"panel_4","type":"visualization"},{"id":"e03ba1d0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_5","type":"visualization"},{"id":"acd38970-6f0a-11e7-83d2-adea2f314dc5","name":"panel_6","type":"visualization"},{"id":"c3f244c0-6f0a-11e7-83d2-adea2f314dc5","name":"panel_7","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_8","type":"visualization"},{"id":"aa05e920-3433-11e7-8867-29a39c0f86b2","name":"panel_9","type":"search"},{"id":"c9f5d3a0-6f05-11e7-b253-211f64f37eda","name":"panel_10","type":"visualization"}],"sort":[1643385898421,2282],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"}]","timeRestore":false,"title":"z16.04 - Baby Domains","version":1},"coreMigrationVersion":"7.16.2","id":"AWAi6wvxAvKNGEbUWO_j","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"41ec0ca0-6f13-11e7-86c8-a1b6db3b051a","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"fce833e0-6f12-11e7-86c8-a1b6db3b051a","name":"panel_2","type":"search"}],"sort":[1643385898421,2286],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQzLDE1XQ=="} -{"attributes":{"fieldFormatMap":"{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}","fields":"[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","notExpandable":true,"timeFieldName":"@timestamp","title":"*:logstash-beats-*"},"coreMigrationVersion":"7.16.2","id":"AWBLHZaBRuBloj96jvrD","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,2287],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ0LDE1XQ=="} -{"attributes":{"columns":["computer_name","process_id","user.name","event_id","event_data.Image"],"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"sort":[["@timestamp","desc"]],"title":"All Beats Logs","version":1},"coreMigrationVersion":"7.16.2","id":"AWBLMr9vRuBloj96jxp1","migrationVersion":{"search":"7.9.3"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2289],"type":"search","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Process IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWBLN7X2RuBloj96jxxY","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2291],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Computer Names","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWBLNriuRuBloj96jxv3","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2293],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Event IDs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWBLOT8MRuBloj96jx0N","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2295],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Usernames","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWBLONJCRuBloj96jxzY","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2297],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWBLQ2__RuBloj96jyDn","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2299],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzUwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Beats - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHHHR8xQT5EBNmq4z7","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"AWBLHZaBRuBloj96jvrD","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2301],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzUxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Beats","version":1},"coreMigrationVersion":"7.16.2","id":"AWBLNS3CRuBloj96jxub","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"AWBLMr9vRuBloj96jxp1","name":"panel_0","type":"search"},{"id":"AWBLNriuRuBloj96jxv3","name":"panel_1","type":"visualization"},{"id":"AWBLN7X2RuBloj96jxxY","name":"panel_2","type":"visualization"},{"id":"AWBLOT8MRuBloj96jx0N","name":"panel_3","type":"visualization"},{"id":"AWBLONJCRuBloj96jxzY","name":"panel_4","type":"visualization"},{"id":"AWBLQ2__RuBloj96jyDn","name":"panel_5","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_6","type":"visualization"},{"id":"AWDHHHR8xQT5EBNmq4z7","name":"panel_7","type":"visualization"}],"sort":[1643385898421,2310],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG71xFxQT5EBNmq336","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2312],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzUzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDG9Qx0xQT5EBNmq3_2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2314],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHD-LfxQT5EBNmq4iB","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2316],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHDNS4xQT5EBNmq4dF","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2318],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMB - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHDfDkxQT5EBNmq4fQ","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,2320],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHDsr0xQT5EBNmq4gw","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2322],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHE-_wxQT5EBNmq4n3","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,2324],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHEKJUxQT5EBNmq4jW","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2326],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzYwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHEYk4xQT5EBNmq4k5","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2328],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzYxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHElRWxQT5EBNmq4lz","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2330],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHFYrqxQT5EBNmq4qT","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2332],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzYzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHGXk-xQT5EBNmq4uf","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2334],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"AWDHGklsxQT5EBNmq4wG","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2336],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.category.keyword : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Event.Cat:Registry Logs","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Event.Cat:Registry Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}}}"},"coreMigrationVersion":"7.16.2","id":"a0d30200-6405-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2339],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"505d91a5-4f8c-4350-94d6-f6ef79f78ee5":{"columnOrder":["48488c44-5465-4f80-8fda-7f09c7fa1b71","8912ace2-fabe-4cb8-9ee7-9fe38a018b83"],"columns":{"48488c44-5465-4f80-8fda-7f09c7fa1b71":{"dataType":"string","isBucketed":true,"label":"Top values of host.os.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"8912ace2-fabe-4cb8-9ee7-9fe38a018b83","type":"column"},"orderDirection":"desc","otherBucket":true,"size":3},"scale":"ordinal","sourceField":"host.os.name"},"8912ace2-fabe-4cb8-9ee7-9fe38a018b83":{"dataType":"number","isBucketed":false,"label":"Unique count of host.name","operationType":"unique_count","scale":"ratio","sourceField":"host.name"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["48488c44-5465-4f80-8fda-7f09c7fa1b71"],"layerId":"505d91a5-4f8c-4350-94d6-f6ef79f78ee5","layerType":"data","legendDisplay":"default","metric":"8912ace2-fabe-4cb8-9ee7-9fe38a018b83","nestedLegend":false,"numberDisplay":"percent"}],"shape":"donut"}},"title":"Endgame - Host Operating Systems","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"a2244d00-624b-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-505d91a5-4f8c-4350-94d6-f6ef79f78ee5","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2343],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Connection","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2345],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination Port","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2347],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Top 10 - Total Bytes By Destination IP","uiStateJSON":"{}","version":1,"visState":"{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"},"coreMigrationVersion":"7.16.2","id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2349],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzcwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]","timeRestore":false,"title":"Connections - Total Bytes","version":1},"coreMigrationVersion":"7.16.2","id":"a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f1325230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_1","type":"visualization"},{"id":"acd65230-3b0d-11e7-a0fe-29878c6f414a","name":"panel_2","type":"visualization"},{"id":"41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b","name":"panel_3","type":"visualization"},{"id":"726cc040-48cf-11e8-9576-313be7c6b44b","name":"panel_4","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b","name":"panel_6","type":"visualization"}],"sort":[1643385898421,2357],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2359],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzcyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a663e070-4c78-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"sort":[1643385898421,2361],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2363],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc0LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"3895de20-9e00-43b5-b87f-b1c0bfa33b71":{"columnOrder":["409d0c1c-683e-45b6-ba92-805285d63f55","04cce9d7-67c1-4fd9-964d-f34dd053e070"],"columns":{"04cce9d7-67c1-4fd9-964d-f34dd053e070":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"409d0c1c-683e-45b6-ba92-805285d63f55":{"dataType":"date","isBucketed":true,"label":"@timestamp","operationType":"date_histogram","params":{"interval":"auto"},"scale":"interval","sourceField":"@timestamp"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"registry\" "},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["04cce9d7-67c1-4fd9-964d-f34dd053e070"],"layerId":"3895de20-9e00-43b5-b87f-b1c0bfa33b71","layerType":"data","position":"top","seriesType":"line","showGridlines":false,"xAccessor":"409d0c1c-683e-45b6-ba92-805285d63f55"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"line","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Event.Cat:Registry Log Count Over Time","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"e09d6340-6cc9-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-3895de20-9e00-43b5-b87f-b1c0bfa33b71","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2367],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc1LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"9643f560-7a46-408c-b61d-ed2a87fc6103":{"columnOrder":["fdf33737-65bc-4b40-a118-140a43e9b7e5","3520723b-f0f3-4845-975c-e97380d8124b"],"columns":{"3520723b-f0f3-4845-975c-e97380d8124b":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"fdf33737-65bc-4b40-a118-140a43e9b7e5":{"dataType":"string","isBucketed":true,"label":"Top values of process.executable","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"3520723b-f0f3-4845-975c-e97380d8124b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":10},"scale":"ordinal","sourceField":"process.executable"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":"event.category.keyword : \"registry\" "},"visualization":{"axisTitlesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"fittingFunction":"None","gridlinesVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"labelsOrientation":{"x":0,"yLeft":0,"yRight":0},"layers":[{"accessors":["3520723b-f0f3-4845-975c-e97380d8124b"],"layerId":"9643f560-7a46-408c-b61d-ed2a87fc6103","layerType":"data","seriesType":"bar_horizontal","xAccessor":"fdf33737-65bc-4b40-a118-140a43e9b7e5"}],"legend":{"isVisible":true,"position":"right"},"preferredSeriesType":"bar_horizontal","tickLabelsVisibilitySettings":{"x":true,"yLeft":true,"yRight":true},"valueLabels":"hide","yLeftExtent":{"mode":"full"},"yRightExtent":{"mode":"full"}}},"title":"Endgame - Registry Event process.executable","visualizationType":"lnsXY"},"coreMigrationVersion":"7.16.2","id":"e9afc350-6cc5-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2371],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc2LDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"65529737-0abd-4698-a75c-47c2e0934cc4":{"columnOrder":["4fb772fa-d1e1-4746-9eaf-83e1690feb92","26daa4f5-0a68-4fae-8385-0804a8d8d42b"],"columns":{"26daa4f5-0a68-4fae-8385-0804a8d8d42b":{"customLabel":true,"dataType":"number","isBucketed":false,"label":"Count","operationType":"count","scale":"ratio","sourceField":"Records"},"4fb772fa-d1e1-4746-9eaf-83e1690feb92":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"user.name","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"26daa4f5-0a68-4fae-8385-0804a8d8d42b","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"user.name"}},"incompleteColumns":{}}}}},"filters":[{"$state":{"store":"appState"},"meta":{"alias":null,"disabled":false,"indexRefName":"filter-index-pattern-0","key":"event.category","negate":false,"params":{"query":"registry"},"type":"phrase"},"query":{"match_phrase":{"event.category":"registry"}}}],"query":{"language":"kuery","query":""},"visualization":{"columns":[{"columnId":"4fb772fa-d1e1-4746-9eaf-83e1690feb92"},{"columnId":"26daa4f5-0a68-4fae-8385-0804a8d8d42b"}],"layerId":"65529737-0abd-4698-a75c-47c2e0934cc4","layerType":"data"}},"title":"Endgame - Registry User Name","visualizationType":"lnsDatatable"},"coreMigrationVersion":"7.16.2","id":"c86a8ba0-6e44-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-65529737-0abd-4698-a75c-47c2e0934cc4","type":"index-pattern"},{"id":"endgame-*","name":"filter-index-pattern-0","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2376],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}","panelsJSON":"[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":11,\"i\":\"066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\"},\"panelIndex\":\"066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":10,\"h\":11,\"i\":\"06494306-08f9-440f-a361-d63cbd6176be\"},\"panelIndex\":\"06494306-08f9-440f-a361-d63cbd6176be\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry All Logs \",\"panelRefName\":\"panel_06494306-08f9-440f-a361-d63cbd6176be\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":11,\"i\":\"9461ee7e-d1fd-448b-9094-eff9e2ebdd58\"},\"panelIndex\":\"9461ee7e-d1fd-448b-9094-eff9e2ebdd58\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry Logs Over Time\",\"panelRefName\":\"panel_9461ee7e-d1fd-448b-9094-eff9e2ebdd58\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":33,\"h\":17,\"i\":\"3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\"},\"panelIndex\":\"3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry Event Process\",\"panelRefName\":\"panel_3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":33,\"y\":11,\"w\":15,\"h\":17,\"i\":\"ca05c1e6-7d21-4c69-b6be-ab95031f30f9\"},\"panelIndex\":\"ca05c1e6-7d21-4c69-b6be-ab95031f30f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ca05c1e6-7d21-4c69-b6be-ab95031f30f9\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":30,\"h\":17,\"i\":\"5b3b7aed-80c9-4e18-a55a-7ca2841913a1\"},\"panelIndex\":\"5b3b7aed-80c9-4e18-a55a-7ca2841913a1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Registry Events\",\"panelRefName\":\"panel_5b3b7aed-80c9-4e18-a55a-7ca2841913a1\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":30,\"y\":28,\"w\":18,\"h\":17,\"i\":\"83bb52e5-74b3-459b-8767-78bc47d1ff8d\"},\"panelIndex\":\"83bb52e5-74b3-459b-8767-78bc47d1ff8d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_83bb52e5-74b3-459b-8767-78bc47d1ff8d\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":34,\"i\":\"aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\"},\"panelIndex\":\"aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\",\"embeddableConfig\":{\"enhancements\":{},\"columns\":[\"host.name\",\"registry.path\",\"related.user\",\"registry.key\",\"registry.value\"]},\"panelRefName\":\"panel_aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\"}]","timeRestore":false,"title":"Endgame - Registry","version":1},"coreMigrationVersion":"7.16.2","id":"a6c6c880-63f7-11ec-864c-8b5450f97635","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"754f7380-6d82-11ec-864c-8b5450f97635","name":"066310d0-63f3-4cc8-9daa-8c0be5ad5b5f:panel_066310d0-63f3-4cc8-9daa-8c0be5ad5b5f","type":"visualization"},{"id":"10af1a20-6cc9-11ec-864c-8b5450f97635","name":"06494306-08f9-440f-a361-d63cbd6176be:panel_06494306-08f9-440f-a361-d63cbd6176be","type":"lens"},{"id":"e09d6340-6cc9-11ec-864c-8b5450f97635","name":"9461ee7e-d1fd-448b-9094-eff9e2ebdd58:panel_9461ee7e-d1fd-448b-9094-eff9e2ebdd58","type":"lens"},{"id":"e9afc350-6cc5-11ec-864c-8b5450f97635","name":"3265c94f-df4b-4a1d-bc7c-64c2e99e72a7:panel_3265c94f-df4b-4a1d-bc7c-64c2e99e72a7","type":"lens"},{"id":"c86a8ba0-6e44-11ec-864c-8b5450f97635","name":"ca05c1e6-7d21-4c69-b6be-ab95031f30f9:panel_ca05c1e6-7d21-4c69-b6be-ab95031f30f9","type":"lens"},{"id":"e1e12ab0-6cc5-11ec-864c-8b5450f97635","name":"5b3b7aed-80c9-4e18-a55a-7ca2841913a1:panel_5b3b7aed-80c9-4e18-a55a-7ca2841913a1","type":"lens"},{"id":"8d1f99e0-6e45-11ec-864c-8b5450f97635","name":"83bb52e5-74b3-459b-8767-78bc47d1ff8d:panel_83bb52e5-74b3-459b-8767-78bc47d1ff8d","type":"lens"},{"id":"0359b740-64cc-11ec-864c-8b5450f97635","name":"aa14e2db-4c3d-4a44-ad58-aae071e6ed3f:panel_aa14e2db-4c3d-4a44-ad58-aae071e6ed3f","type":"search"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2386],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - Request - Client","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2388],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzc5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Data Overview","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"},"coreMigrationVersion":"7.16.2","id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2390],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzgwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Log Count By Node ","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"},"coreMigrationVersion":"7.16.2","id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2392],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzgxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\"},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":0,\"w\":17,\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\"},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\"},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":22,\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\"},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":8,\"w\":9,\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\"},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":8,\"w\":8,\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\"},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":8,\"w\":9,\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\"},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":30,\"i\":\"3c89322f-4209-40ba-bbe7-5c5fb45420ac\"},\"panelIndex\":\"3c89322f-4209-40ba-bbe7-5c5fb45420ac\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Home","version":1},"coreMigrationVersion":"7.16.2","id":"a8411b30-6d03-11ea-b301-3d6c35840645","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ac6b1720-7559-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"ad398b70-6e9a-11ea-9266-1fd14ca6af34","name":"panel_4","type":"visualization"},{"id":"8b065a80-6eca-11ea-9266-1fd14ca6af34","name":"panel_5","type":"visualization"},{"id":"a9fae5c0-6e9b-11ea-9266-1fd14ca6af34","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2401],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzgyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNS - Response Code Name (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - DNS - Response Code Name (Donut)\"}"},"coreMigrationVersion":"7.16.2","id":"a9bd4090-72b9-11ea-8dd2-9d8795a1200b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2403],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzgzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"filter\": []\n}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Query Results Count","uiStateJSON":"{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Osquery - Query Results Count\"}"},"coreMigrationVersion":"7.16.2","id":"ab47a590-afcc-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9eed5fc0-afcb-11ea-b262-353d451b125b","name":"search_0","type":"search"}],"sort":[1643385898421,2405],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"}]","timeRestore":false,"title":"Security Onion - Users","version":1},"coreMigrationVersion":"7.16.2","id":"abbe1140-72c7-11ea-8dd2-9d8795a1200b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"}],"sort":[1643385898421,2407],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Dataset By Node","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"},"coreMigrationVersion":"7.16.2","id":"abffa080-6ec9-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2409],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f5166880-374f-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2411],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Request Path","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"dddb4430-3752-11e7-b74a-f5057991ccd2","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2413],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SIP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2415],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzg5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"z16.04 - Bro - SIP","version":1},"coreMigrationVersion":"7.16.2","id":"ad3c0830-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"5393c710-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5166880-374f-11e7-b74a-f5057991ccd2","name":"panel_2","type":"visualization"},{"id":"04e1aea0-3750-11e7-b74a-f5057991ccd2","name":"panel_3","type":"visualization"},{"id":"90bf0a80-3750-11e7-b74a-f5057991ccd2","name":"panel_4","type":"visualization"},{"id":"dddb4430-3752-11e7-b74a-f5057991ccd2","name":"panel_5","type":"visualization"},{"id":"5e36c370-3753-11e7-b74a-f5057991ccd2","name":"panel_6","type":"visualization"},{"id":"73f663f0-3753-11e7-b74a-f5057991ccd2","name":"panel_7","type":"visualization"},{"id":"930b1600-3753-11e7-b74a-f5057991ccd2","name":"panel_8","type":"visualization"},{"id":"2db47070-3754-11e7-b74a-f5057991ccd2","name":"panel_9","type":"visualization"},{"id":"9e131480-342e-11e7-9e93-53b62e1857b2","name":"panel_10","type":"search"},{"id":"1ef5c230-6e24-11e7-a261-55504638cf3b","name":"panel_11","type":"visualization"},{"id":"dfd1dc00-6e24-11e7-a261-55504638cf3b","name":"panel_12","type":"visualization"},{"id":"AWDHDNS4xQT5EBNmq4dF","name":"panel_13","type":"visualization"},{"id":"0291dba0-4c78-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"}],"sort":[1643385898421,2431],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzkwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:zeek AND event.dataset:file\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - Zeek Files","version":1},"coreMigrationVersion":"7.16.2","id":"ad4d5d60-75f4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"bcf25e30-75f1-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"e8d35c50-75f3-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"09fc6ef0-7732-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"2fc4bea0-7730-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"efc25540-75f1-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"sort":[1643385898421,2444],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,2446],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Destination Country (Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2448],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0MzkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS - True/False (Vertical Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2450],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Logs\",\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Sensitive Permissions\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"osquery - Chrome Extensions","version":1},"coreMigrationVersion":"7.16.2","id":"af0ea750-18d3-11e9-932c-d12d2cf4ee95","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index","type":"index-pattern"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"71538370-18d5-11e9-932c-d12d2cf4ee95","name":"panel_1","type":"visualization"},{"id":"0eee4360-18d4-11e9-932c-d12d2cf4ee95","name":"panel_2","type":"search"},{"id":"78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_3","type":"visualization"},{"id":"04f86530-1a59-11e9-ac0b-cb0ba10141ab","name":"panel_4","type":"visualization"}],"sort":[1643385898421,2458],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Security Onion - Osquery - Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Osquery - Name\"}"},"coreMigrationVersion":"7.16.2","id":"af139720-afcb-11ea-b262-353d451b125b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,2460],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DHCP - Message Type (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - DHCP - Message Type (Donut)\"}"},"coreMigrationVersion":"7.16.2","id":"af26c6e0-96e6-11ea-814e-bb515e873c2c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2462],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2464],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Country (Donut Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"},"coreMigrationVersion":"7.16.2","id":"dfe23030-39a1-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2466],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0Mzk5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - TLS (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2468],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDAwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2470],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDAxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - User Agent","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d776e510-6e28-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2472],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDAyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SMTP - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2474],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDAzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]","timeRestore":false,"title":"z16.04 - Bro - SMTP","version":1},"coreMigrationVersion":"7.16.2","id":"b10a9c60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"7c922990-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"c47e2a10-39a1-11e7-8472-0151e5b2b475","name":"panel_2","type":"visualization"},{"id":"dfe23030-39a1-11e7-8472-0151e5b2b475","name":"panel_3","type":"visualization"},{"id":"73b1b240-39a2-11e7-8472-0151e5b2b475","name":"panel_4","type":"visualization"},{"id":"96767400-39a2-11e7-8472-0151e5b2b475","name":"panel_5","type":"visualization"},{"id":"c3bb32c0-39a2-11e7-8472-0151e5b2b475","name":"panel_6","type":"visualization"},{"id":"f18a0480-3bd0-11e7-9c09-4f161b0766dd","name":"panel_7","type":"visualization"},{"id":"a5045e20-3bd1-11e7-a3ae-1754b87179c0","name":"panel_8","type":"visualization"},{"id":"a6cea530-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"d776e510-6e28-11e7-8b76-75eee0095daa","name":"panel_10","type":"visualization"},{"id":"53beb0d0-6e29-11e7-8b76-75eee0095daa","name":"panel_11","type":"visualization"},{"id":"aeb71cc0-6e29-11e7-8b76-75eee0095daa","name":"panel_12","type":"visualization"},{"id":"d5aa6d00-6e29-11e7-8b76-75eee0095daa","name":"panel_13","type":"visualization"},{"id":"AWDHDsr0xQT5EBNmq4gw","name":"panel_14","type":"visualization"}],"sort":[1643385898421,2490],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - IIN","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2492],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":28,\"i\":\"f36f0fec-ab1e-4aea-84ea-4cf0fedcfffc\"},\"panelIndex\":\"f36f0fec-ab1e-4aea-84ea-4cf0fedcfffc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - DNP3","version":1},"coreMigrationVersion":"7.16.2","id":"b1f52180-755a-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f991b6d0-75b8-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"214793c0-75b9-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2501],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Authentication Method","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b2053990-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2503],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":29,\"i\":\"13a216e9-1e56-4069-a61a-238ff604a18b\"},\"panelIndex\":\"13a216e9-1e56-4069-a61a-238ff604a18b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - Kerberos","version":1},"coreMigrationVersion":"7.16.2","id":"b207ab90-75bc-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"c879ad60-72a1-11ea-8dd2-9d8795a1200b","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"0ecc7310-75bd-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"2d73e460-75bd-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"48331f00-75bd-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,2513],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"z16.04 - Bro - SMB","version":1},"coreMigrationVersion":"7.16.2","id":"b3a53710-3aaa-11e7-8b17-0d8709b02c80","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"panel_0","type":"search"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"85e40a70-3aac-11e7-8b17-0d8709b02c80","name":"panel_2","type":"visualization"},{"id":"15b4e7a0-3aad-11e7-8b17-0d8709b02c80","name":"panel_3","type":"visualization"},{"id":"31f5e040-3aad-11e7-8b17-0d8709b02c80","name":"panel_4","type":"visualization"},{"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","name":"panel_5","type":"visualization"},{"id":"60384e00-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_6","type":"visualization"},{"id":"72f0f010-3aaf-11e7-a83b-b1b4da7d15f4","name":"panel_7","type":"visualization"},{"id":"306c4330-4175-11e7-a0f7-47f4c03e3306","name":"panel_8","type":"visualization"},{"id":"AWDHDfDkxQT5EBNmq4fQ","name":"panel_9","type":"visualization"},{"id":"a663e070-4c78-11e8-9b0a-f1d33346f773","name":"panel_10","type":"visualization"}],"sort":[1643385898421,2525],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDA5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Responder Bytes","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"b50912f0-366f-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2527],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDEwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Tunnels - Type","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b6120810-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2529],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDExLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Connections - Source - Responder Bytes ( Tile Map)","uiStateJSON":"{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}","version":1,"visState":"{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2531],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDEyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Source - Responder Bytes","version":1},"coreMigrationVersion":"7.16.2","id":"b65775e0-46cb-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"sort":[1643385898421,2534],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDEzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e8511600-36b8-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2536],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SNMP - Session Duration","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2538],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - SNMP","version":1},"coreMigrationVersion":"7.16.2","id":"b65c2710-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"a67546c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"e8511600-36b8-11e7-9786-41a1d72e15ad","name":"panel_2","type":"visualization"},{"id":"0defabb0-36b9-11e7-9786-41a1d72e15ad","name":"panel_3","type":"visualization"},{"id":"e47015d0-36b9-11e7-9786-41a1d72e15ad","name":"panel_4","type":"visualization"},{"id":"2a3ae810-36ba-11e7-9786-41a1d72e15ad","name":"panel_5","type":"visualization"},{"id":"b12150a0-342e-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"7dc62970-6e2a-11e7-8b76-75eee0095daa","name":"panel_7","type":"visualization"},{"id":"AWDHD-LfxQT5EBNmq4iB","name":"panel_8","type":"visualization"},{"id":"83a91450-4c79-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"sort":[1643385898421,2549],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Validation Status","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"},"coreMigrationVersion":"7.16.2","id":"b8371250-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2551],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":29,\"i\":\"49fd1168-f7ab-4759-a92c-f2699389678e\"},\"panelIndex\":\"49fd1168-f7ab-4759-a92c-f2699389678e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - RADIUS","version":1},"coreMigrationVersion":"7.16.2","id":"b9769e60-75c4-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"767c89f0-af4c-11ea-b262-353d451b125b","name":"panel_5","type":"visualization"},{"id":"0ca071b0-75c5-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"27ab8260-75c5-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,2561],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"},"coreMigrationVersion":"7.16.2","id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2563],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDE5LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"91e35690-24ec-4a13-b791-6146c05a2285\"},\"panelIndex\":\"91e35690-24ec-4a13-b791-6146c05a2285\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"Security Onion - Osquery","version":1},"coreMigrationVersion":"7.16.2","id":"bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"df50eba0-6ec0-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"ab47a590-afcc-11ea-b262-353d451b125b","name":"panel_3","type":"visualization"},{"id":"a866be10-0e45-11eb-a255-e1e8e85e3571","name":"panel_4","type":"search"}],"sort":[1643385898421,2569],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDIwLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Software - Log Count Over Time","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2571],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDIxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]","timeRestore":false,"title":"z16.04 - Bro - Software","version":1},"coreMigrationVersion":"7.16.2","id":"c2c99c30-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"ba3d77e0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"AWDHEKJUxQT5EBNmq4jW","name":"panel_3","type":"visualization"},{"id":"9b0f6a80-4c7a-11e8-9b0a-f1d33346f773","name":"panel_4","type":"visualization"}],"sort":[1643385898421,2577],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDIyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"Connections - Protocol (Bar Chart)","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c3152010-3673-11e7-8c78-e3086faf385c","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2579],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDIzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - MySQL - Success","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2581],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":29,\"i\":\"fb7962e7-1108-429e-a623-8ece03931e4a\"},\"panelIndex\":\"fb7962e7-1108-429e-a623-8ece03931e4a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"Security Onion - MySQL","version":1},"coreMigrationVersion":"7.16.2","id":"c3ced6d0-75be-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"ec40c5e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1f306f60-75c0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"3af496e0-75c0-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_8","type":"search"}],"sort":[1643385898421,2591],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,2593],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Bro - Syslog - Protocol","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"search_0","type":"search"}],"sort":[1643385898421,2595],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - Bro - Syslog","version":1},"coreMigrationVersion":"7.16.2","id":"c4bbe040-76b3-11e7-ba96-cba76a1e264d","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"92b202e0-76b4-11e7-94e1-3d2ec4e57ed9","name":"panel_1","type":"visualization"},{"id":"269ca380-76b4-11e7-8c3e-cfcdd8c95d87","name":"panel_2","type":"search"},{"id":"6c60a280-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_3","type":"visualization"},{"id":"ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_4","type":"visualization"},{"id":"ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9","name":"panel_5","type":"visualization"},{"id":"e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9","name":"panel_6","type":"visualization"},{"id":"346e5c30-76b7-11e7-94e1-3d2ec4e57ed9","name":"panel_7","type":"visualization"},{"id":"AWDHE-_wxQT5EBNmq4n3","name":"panel_8","type":"visualization"}],"sort":[1643385898421,2605],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSH - Authentication Success","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2607],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDI5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSH -Server","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2609],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDMwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - SSH","version":1},"coreMigrationVersion":"7.16.2","id":"c6ccfc00-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"09457310-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"8a60eb50-365f-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a33f9a0-365f-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"c33e7600-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"54d78f50-6e33-11e7-9a19-a5996f8250c6","name":"panel_5","type":"visualization"},{"id":"dcea2790-6e33-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"2bbdc020-6e34-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHEYk4xQT5EBNmq4k5","name":"panel_8","type":"visualization"},{"id":"e64833a0-4c7b-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"sort":[1643385898421,2620],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDMxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"coreMigrationVersion":"7.16.2","id":"c7484350-6eb1-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2622],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDMyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Message","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"},"coreMigrationVersion":"7.16.2","id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2624],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDMzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Share Flag","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2626],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - RFB - Desktop Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2628],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":42,\"w\":48,\"h\":29,\"i\":\"630311aa-6915-4543-a10a-2677f3c2f96a\"},\"panelIndex\":\"630311aa-6915-4543-a10a-2677f3c2f96a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - RFB","version":1},"coreMigrationVersion":"7.16.2","id":"c8b3c360-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"b2053990-75c7-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"d5e72b20-75c7-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"fe62c910-75c7-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"5dcf09e0-75c8-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"316e90a0-75c8-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,2640],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connection Count","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"},"coreMigrationVersion":"7.16.2","id":"c94e2aa0-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2642],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"b7799f8a-60c5-4629-9acd-9bbe7ebbac2a\"},\"panelIndex\":\"b7799f8a-60c5-4629-9acd-9bbe7ebbac2a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"Security Onion - Tunnels","version":1},"coreMigrationVersion":"7.16.2","id":"c962dd60-75ed-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6120810-75ef-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"search"}],"sort":[1643385898421,2651],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2653],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDM5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - DNP3 - FC Reply","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"},"coreMigrationVersion":"7.16.2","id":"cb29fbe0-75b8-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2655],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"}]","timeRestore":false,"title":"Connections - Top Source IPs","version":1},"coreMigrationVersion":"7.16.2","id":"cb367060-3b04-11e7-a83b-b1b4da7d15f4","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_0","type":"visualization"},{"id":"28c27f80-3b05-11e7-a83b-b1b4da7d15f4","name":"panel_1","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_2","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_3","type":"search"}],"sort":[1643385898421,2660],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQxLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"851cf638-4ae4-45ad-b7ad-e97c0926b6a3":{"columnOrder":["558ae3ab-245f-4076-9b88-155e26219823","01fd47d1-6f20-44f0-afb6-2850548061f8"],"columns":{"01fd47d1-6f20-44f0-afb6-2850548061f8":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"558ae3ab-245f-4076-9b88-155e26219823":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Endgame - Event Actions","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"01fd47d1-6f20-44f0-afb6-2850548061f8","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.action"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["558ae3ab-245f-4076-9b88-155e26219823"],"layerId":"851cf638-4ae4-45ad-b7ad-e97c0926b6a3","layerType":"data","legendDisplay":"show","metric":"01fd47d1-6f20-44f0-afb6-2850548061f8","nestedLegend":false,"numberDisplay":"percent"}],"shape":"pie"}},"title":"Endgame - Event Actions Graph","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"cb421a30-6252-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-851cf638-4ae4-45ad-b7ad-e97c0926b6a3","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2664],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Source IP Address","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2666],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"SSL - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2668],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SSL - Summary","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2670],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]","timeRestore":false,"title":"z16.04 - Bro - SSL","version":1},"coreMigrationVersion":"7.16.2","id":"cca67b60-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6139edd0-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"3753e110-365a-11e7-bf60-314364dd1cde","name":"panel_2","type":"visualization"},{"id":"02699580-365a-11e7-bf60-314364dd1cde","name":"panel_3","type":"visualization"},{"id":"db570800-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_4","type":"visualization"},{"id":"f0700840-365a-11e7-8bd0-1db2c55fb7a1","name":"panel_5","type":"visualization"},{"id":"21d090d0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_6","type":"visualization"},{"id":"53ac63e0-365b-11e7-8bd0-1db2c55fb7a1","name":"panel_7","type":"visualization"},{"id":"ae959820-365c-11e7-8bd0-1db2c55fb7a1","name":"panel_8","type":"visualization"},{"id":"c8f21de0-342e-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"23d22bd0-70b4-11e7-810e-2bafe9e41c10","name":"panel_10","type":"visualization"},{"id":"AWDHElRWxQT5EBNmq4lz","name":"panel_11","type":"visualization"},{"id":"ebec2ea0-4c7c-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"}],"sort":[1643385898421,2684],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Destination - Sum of Total Bytes","version":1},"coreMigrationVersion":"7.16.2","id":"ccfcc540-4638-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"1342e630-4632-11e7-9903-85f789353078","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"sort":[1643385898421,2687],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - Entropy","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}","version":1,"visState":"{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2689],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - Warning","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"},"coreMigrationVersion":"7.16.2","id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2691],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDQ5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Endgame - All Logs (copy)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Endgame - All Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"},"coreMigrationVersion":"7.16.2","id":"d43f0350-6347-11ec-864c-8b5450f97635","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"endgame-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2694],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDUwLDE1XQ=="} -{"attributes":{"description":"","state":{"datasourceStates":{"indexpattern":{"layers":{"851cf638-4ae4-45ad-b7ad-e97c0926b6a3":{"columnOrder":["558ae3ab-245f-4076-9b88-155e26219823","01fd47d1-6f20-44f0-afb6-2850548061f8"],"columns":{"01fd47d1-6f20-44f0-afb6-2850548061f8":{"dataType":"number","isBucketed":false,"label":"Count of records","operationType":"count","scale":"ratio","sourceField":"Records"},"558ae3ab-245f-4076-9b88-155e26219823":{"customLabel":true,"dataType":"string","isBucketed":true,"label":"Endgame - Event Categories","operationType":"terms","params":{"missingBucket":false,"orderBy":{"columnId":"01fd47d1-6f20-44f0-afb6-2850548061f8","type":"column"},"orderDirection":"desc","otherBucket":true,"size":5},"scale":"ordinal","sourceField":"event.category"}},"incompleteColumns":{}}}}},"filters":[],"query":{"language":"kuery","query":""},"visualization":{"layers":[{"categoryDisplay":"default","groups":["558ae3ab-245f-4076-9b88-155e26219823"],"layerId":"851cf638-4ae4-45ad-b7ad-e97c0926b6a3","layerType":"data","legendDisplay":"default","metric":"01fd47d1-6f20-44f0-afb6-2850548061f8","nestedLegend":false,"numberDisplay":"percent"}],"shape":"pie"}},"title":"Endgame - Event Categories Graph","visualizationType":"lnsPie"},"coreMigrationVersion":"7.16.2","id":"d58d6c40-624a-11ec-864c-8b5450f97635","migrationVersion":{"lens":"7.16.0"},"references":[{"id":"endgame-*","name":"indexpattern-datasource-current-indexpattern","type":"index-pattern"},{"id":"endgame-*","name":"indexpattern-datasource-layer-851cf638-4ae4-45ad-b7ad-e97c0926b6a3","type":"index-pattern"},{"id":"41a5e270-53b1-11ec-b3ef-6bcc33056a36","name":"tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36","type":"tag"}],"sort":[1643385898421,2698],"type":"lens","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDUxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Log Count Over TIme","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2700],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDUyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Tunnels - Country","uiStateJSON":"{\"vis\":{\"legendOpen\":false}}","version":1,"visState":"{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2702],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDUzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - Tunnels","version":1},"coreMigrationVersion":"7.16.2","id":"d7b54ae0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"e89c9700-3641-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"43b2b040-3807-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"26457730-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"3cdf2400-3808-11e7-a1cc-ebc6a7e70e84","name":"panel_4","type":"visualization"},{"id":"d26d5510-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"f60e0c40-6e34-11e7-9a19-a5996f8250c6","name":"panel_6","type":"visualization"},{"id":"33b39a60-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"53824da0-6e35-11e7-9a19-a5996f8250c6","name":"panel_8","type":"visualization"},{"id":"AWDHFYrqxQT5EBNmq4qT","name":"panel_9","type":"visualization"}],"sort":[1643385898421,2713],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Connections - Service","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"},"coreMigrationVersion":"7.16.2","id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"*:logstash-*","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2715],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Server Name","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"},"coreMigrationVersion":"7.16.2","id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2717],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU2LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Network Datasets","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"},"coreMigrationVersion":"7.16.2","id":"dbe4cc20-6ea7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"387f44c0-6ea7-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2719],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Weird - Destination Port","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2721],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU4LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Queries","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"},"coreMigrationVersion":"7.16.2","id":"dcda5680-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2723],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDU5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SIP - URI","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2725],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDYwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":29,\"i\":\"ba5c8087-cf68-4a4c-9800-05731dca2608\"},\"panelIndex\":\"ba5c8087-cf68-4a4c-9800-05731dca2608\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"Security Onion - SIP","version":1},"coreMigrationVersion":"7.16.2","id":"dd98e260-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"272b8ab0-75ca-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"9ff24600-75ca-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"f63cba40-75ca-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"49384710-75ca-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"81a1a740-75ca-11ea-9565-7315f4ee5cac","name":"panel_9","type":"visualization"},{"id":"cf56b070-75ca-11ea-9565-7315f4ee5cac","name":"panel_10","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_11","type":"search"}],"sort":[1643385898421,2738],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDYxLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"z16.04 - Bro - Weird","version":1},"coreMigrationVersion":"7.16.2","id":"de2da250-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0dbcade0-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"1b837b00-364e-11e7-9dc3-d35061cb642d","name":"panel_2","type":"visualization"},{"id":"312cd460-364e-11e7-9dc3-d35061cb642d","name":"panel_3","type":"visualization"},{"id":"8dbbbed0-364e-11e7-9dc3-d35061cb642d","name":"panel_4","type":"visualization"},{"id":"e32d0d50-342e-11e7-9e93-53b62e1857b2","name":"panel_5","type":"search"},{"id":"ca3e57d0-4172-11e7-9850-b78558d0ac17","name":"panel_6","type":"visualization"},{"id":"dbfe2f00-6e35-11e7-9a19-a5996f8250c6","name":"panel_7","type":"visualization"},{"id":"AWDHGXk-xQT5EBNmq4uf","name":"panel_8","type":"visualization"},{"id":"691ade50-4c85-11e8-9b0a-f1d33346f773","name":"panel_9","type":"visualization"}],"sort":[1643385898421,2749],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDYyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Hash - SSDeep","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2751],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDYzLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]","timeRestore":false,"title":"z16.04 - Bro - Connections","version":1},"coreMigrationVersion":"7.16.2","id":"e0a34b90-34e6-11e7-9118-45bd317f0ca4","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"2da139c0-34e7-11e7-9118-45bd317f0ca4","name":"panel_1","type":"visualization"},{"id":"8261cf00-366e-11e7-8c78-e3086faf385c","name":"panel_2","type":"visualization"},{"id":"9a54f150-366e-11e7-8c78-e3086faf385c","name":"panel_3","type":"visualization"},{"id":"296823d0-366f-11e7-8c78-e3086faf385c","name":"panel_4","type":"visualization"},{"id":"b50912f0-366f-11e7-8c78-e3086faf385c","name":"panel_5","type":"visualization"},{"id":"05088150-3670-11e7-8c78-e3086faf385c","name":"panel_6","type":"visualization"},{"id":"c3152010-3673-11e7-8c78-e3086faf385c","name":"panel_7","type":"visualization"},{"id":"13fe29c0-3b17-11e7-b871-5f76306b9694","name":"panel_8","type":"visualization"},{"id":"9bf42190-342d-11e7-9e93-53b62e1857b2","name":"panel_9","type":"search"},{"id":"25ce6eb0-463b-11e7-a82e-d97152153689","name":"panel_10","type":"visualization"},{"id":"AWDG71xFxQT5EBNmq336","name":"panel_11","type":"visualization"},{"id":"bc7fbe00-4a44-11e8-9b0a-f1d33346f773","name":"panel_12","type":"visualization"},{"id":"d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288","name":"panel_13","type":"visualization"}],"sort":[1643385898421,2766],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY0LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"DNS - Destination Port (Horizontal Bar Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2768],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY1LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"X.509 - Certificate Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"},"coreMigrationVersion":"7.16.2","id":"fab4b560-37d8-11e7-9efb-91e89505091f","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2770],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY2LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"z16.04 - Bro - X.509","version":1},"coreMigrationVersion":"7.16.2","id":"e5aa7170-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"41bee360-3642-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"f5038cc0-342e-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"738127f0-37d7-11e7-9efb-91e89505091f","name":"panel_3","type":"visualization"},{"id":"fab4b560-37d8-11e7-9efb-91e89505091f","name":"panel_4","type":"visualization"},{"id":"0a5f7b30-37d9-11e7-9efb-91e89505091f","name":"panel_5","type":"visualization"},{"id":"150f7280-6e37-11e7-a8d6-ed2e692de531","name":"panel_6","type":"visualization"},{"id":"446e85c0-6e37-11e7-a8d6-ed2e692de531","name":"panel_7","type":"visualization"},{"id":"AWDHGklsxQT5EBNmq4wG","name":"panel_8","type":"visualization"}],"sort":[1643385898421,2780],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY3LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Host - Domain","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"},"coreMigrationVersion":"7.16.2","id":"e80aa100-7375-11ea-a3da-cbdb4f8a90c0","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2782],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Destination - Top Connection Duration","version":1},"coreMigrationVersion":"7.16.2","id":"ea211360-46c4-11e7-a82e-d97152153689","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f7492d0-46c4-11e7-a82e-d97152153689","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"}],"sort":[1643385898421,2785],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDY5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"DNS - Answers","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"sort":[1643385898421,2787],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDcwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":null,\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{\"vis\":null,\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_15\"}]","timeRestore":false,"title":"z16.04 - Bro - DNS","version":1},"coreMigrationVersion":"7.16.2","id":"ebf5ec90-34bf-11e7-9b32-bb903919ead9","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"6ef90c30-34c0-11e7-9b32-bb903919ead9","name":"panel_1","type":"visualization"},{"id":"57a9a3f0-34c0-11e7-9b32-bb903919ead9","name":"panel_2","type":"visualization"},{"id":"45a652b0-34c1-11e7-917c-af7a9d11771a","name":"panel_3","type":"visualization"},{"id":"e8e3b8a0-34c1-11e7-917c-af7a9d11771a","name":"panel_4","type":"visualization"},{"id":"1ecdd2e0-34c0-11e7-9b32-bb903919ead9","name":"panel_5","type":"visualization"},{"id":"d46522e0-342d-11e7-9e93-53b62e1857b2","name":"panel_6","type":"search"},{"id":"e3717d80-6e0f-11e7-8624-1fb07dd76c6a","name":"panel_7","type":"visualization"},{"id":"4d89e140-6f09-11e7-9d31-23c0596994a7","name":"panel_8","type":"visualization"},{"id":"74861280-6f06-11e7-b253-211f64f37eda","name":"panel_9","type":"visualization"},{"id":"AWDG9Qx0xQT5EBNmq3_2","name":"panel_10","type":"visualization"},{"id":"dcda5680-2927-11e8-b2a2-09f3986ae284","name":"panel_11","type":"visualization"},{"id":"ff2af9b0-2927-11e8-b2a2-09f3986ae284","name":"panel_12","type":"visualization"},{"id":"22f7de30-4949-11e8-9576-313be7c6b44b","name":"panel_13","type":"visualization"},{"id":"0c338e50-4a4e-11e8-9b0a-f1d33346f773","name":"panel_14","type":"visualization"},{"id":"49e04860-4a4e-11e8-9b0a-f1d33346f773","name":"panel_15","type":"visualization"}],"sort":[1643385898421,2804],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDcxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SMB - File System","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ed215680-75ef-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2806],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDcyLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"title\":\"NIDS Alert - Source Port\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS Alert - Destination Port\",\"panelRefName\":\"panel_5\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Alert Summary \",\"panelRefName\":\"panel_6\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Alert Title\",\"panelRefName\":\"panel_7\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Rule Signature\",\"panelRefName\":\"panel_8\"}]","timeRestore":false,"title":"NIDS - SID Drilldown","version":1},"coreMigrationVersion":"7.16.2","id":"ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"d58ec1a0-34e4-11e7-9669-7f1d3242b798","name":"panel_0","type":"visualization"},{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_1","type":"visualization"},{"id":"9a5a35c0-342f-11e7-9e93-53b62e1857b2","name":"panel_2","type":"search"},{"id":"620283e0-3af5-11e7-a83b-b1b4da7d15f4","name":"panel_3","type":"visualization"},{"id":"AWDG3ym0xQT5EBNmq3mG","name":"panel_4","type":"visualization"},{"id":"3f040620-4a44-11e8-9b0a-f1d33346f773","name":"panel_5","type":"visualization"},{"id":"3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290","name":"panel_6","type":"visualization"},{"id":"1b3faca0-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_7","type":"visualization"},{"id":"6533dd40-e064-11e9-8f0c-2ddbf5ed9290","name":"panel_8","type":"visualization"}],"sort":[1643385898421,2816],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDczLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - HTTP - Version","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"ede56800-6ed7-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9ee33aa0-6eb1-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2818],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDc0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":21,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":21,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":29,\"i\":\"75b95d1d-98a0-4d86-b72b-1ecc6f5d7c5a\"},\"panelIndex\":\"75b95d1d-98a0-4d86-b72b-1ecc6f5d7c5a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SSL","version":1},"coreMigrationVersion":"7.16.2","id":"efae8de0-75eb-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"db4dc4a0-75ec-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"b8371250-75ec-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"4e8cbf80-75ec-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,2829],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDc1LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]","timeRestore":false,"title":"Connections - Source - Sum of Total Bytes","version":1},"coreMigrationVersion":"7.16.2","id":"f042ad60-46c6-11e7-946f-1bfb1be7c36b","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"1156b1e0-46c7-11e7-946f-1bfb1be7c36b","name":"panel_1","type":"visualization"}],"sort":[1643385898421,2851],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDg3LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":29,\"i\":\"b48f25cd-4353-46f1-ba89-12da381a65eb\"},\"panelIndex\":\"b48f25cd-4353-46f1-ba89-12da381a65eb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - SMB","version":1},"coreMigrationVersion":"7.16.2","id":"f24d7b80-75c6-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"7f822930-6ea4-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"34762420-75f0-11ea-9565-7315f4ee5cac","name":"panel_5","type":"visualization"},{"id":"1c6567b0-75f0-11ea-9565-7315f4ee5cac","name":"panel_6","type":"visualization"},{"id":"ed215680-75ef-11ea-9565-7315f4ee5cac","name":"panel_7","type":"visualization"},{"id":"052df440-75f0-11ea-9565-7315f4ee5cac","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,2862],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDg4LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:playbook AND event.dataset:alert\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Security Onion - Alert Data\",\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":26,\"h\":18,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":18,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]","timeRestore":false,"title":"Security Onion - Playbook","version":1},"coreMigrationVersion":"7.16.2","id":"f449f0a0-c77c-11ea-bebb-37c5ab5894ea","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"508fb520-72af-11ea-8dd2-9d8795a1200b","name":"panel_3","type":"visualization"},{"id":"f7e1d570-72ae-11ea-8dd2-9d8795a1200b","name":"panel_4","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"search"}],"sort":[1643385898421,2869],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDg5LDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Zeek - Notice Action","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"coreMigrationVersion":"7.16.2","id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2871],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDkwLDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":20,\"i\":\"e08f3143-7e05-49ab-882f-d63e24e622bb\"},\"panelIndex\":\"e08f3143-7e05-49ab-882f-d63e24e622bb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]","timeRestore":false,"title":"Security Onion - Zeek - Notices","version":1},"coreMigrationVersion":"7.16.2","id":"fa9ed760-7734-11ea-bee5-af7f7c7b8e05","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"30df00e0-7733-11ea-bee5-af7f7c7b8e05","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"9c6ccff0-7a84-11ea-9d13-57f5db13d1ed","name":"panel_3","type":"visualization"},{"id":"c8039090-7a84-11ea-9d13-57f5db13d1ed","name":"panel_4","type":"visualization"},{"id":"6b18be30-72a7-11ea-8dd2-9d8795a1200b","name":"panel_5","type":"visualization"},{"id":"b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_6","type":"visualization"},{"id":"f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b","name":"panel_7","type":"visualization"},{"id":"fafba910-7a84-11ea-9d13-57f5db13d1ed","name":"panel_8","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_9","type":"search"}],"sort":[1643385898421,2882],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDkxLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"event.module.keyword\",\"negate\":true,\"params\":{\"query\":\"suricata\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module.keyword\":\"suricata\"}}}]}"},"savedSearchRefName":"search_0","title":"Security Onion - Playbook - Rules","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Playbook - Rules\"}"},"coreMigrationVersion":"7.16.2","id":"faaf66e0-c77d-11ea-bebb-37c5ab5894ea","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index","type":"index-pattern"},{"id":"5c3effd0-72ae-11ea-8dd2-9d8795a1200b","name":"search_0","type":"search"}],"sort":[1643385898421,2885],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDkyLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity_label: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"coreMigrationVersion":"7.16.2","id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"sort":[1643385898421,2887],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDkzLDE1XQ=="} -{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"coreMigrationVersion":"7.16.2","id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.14.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"sort":[1643385898421,2889],"type":"visualization","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDk0LDE1XQ=="} -{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"coreMigrationVersion":"7.16.2","id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.16.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"sort":[1643385898421,2901],"type":"dashboard","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDk1LDE1XQ=="} -{"attributes":{"allowNoIndex":true,"fieldFormatMap":"{\"Ransomware.child_processes.pid\":{\"id\":\"string\"},\"Ransomware.pid\":{\"id\":\"string\"},\"Responses.@timestamp\":{\"id\":\"string\"},\"Target.process.parent.pgid\":{\"id\":\"string\"},\"Target.process.parent.pid\":{\"id\":\"string\"},\"Target.process.parent.ppid\":{\"id\":\"string\"},\"Target.process.parent.thread.id\":{\"id\":\"string\"},\"Target.process.pgid\":{\"id\":\"string\"},\"Target.process.pid\":{\"id\":\"string\"},\"Target.process.ppid\":{\"id\":\"string\"},\"Target.process.thread.id\":{\"id\":\"string\"},\"event.sequence\":{\"id\":\"string\"},\"event.severity\":{\"id\":\"string\"},\"process.parent.pgid\":{\"id\":\"string\"},\"process.parent.pid\":{\"id\":\"string\"},\"process.parent.ppid\":{\"id\":\"string\"},\"process.parent.thread.id\":{\"id\":\"string\"},\"process.pgid\":{\"id\":\"string\"},\"process.pid\":{\"id\":\"string\"},\"process.ppid\":{\"id\":\"string\"},\"process.thread.id\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.enrichments.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.enrichments.indicator.url.port\":{\"id\":\"string\"},\"threat.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.indicator.url.port\":{\"id\":\"string\"},\"destination.bytes\":{\"id\":\"bytes\"},\"destination.port\":{\"id\":\"string\"},\"http.request.body.bytes\":{\"id\":\"bytes\"},\"http.request.bytes\":{\"id\":\"bytes\"},\"http.response.body.bytes\":{\"id\":\"bytes\"},\"http.response.bytes\":{\"id\":\"bytes\"},\"http.response.status_code\":{\"id\":\"string\"},\"network.bytes\":{\"id\":\"bytes\"},\"source.bytes\":{\"id\":\"bytes\"},\"source.port\":{\"id\":\"string\"}}","fields":"[{\"name\":\"cloud.account.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.machine.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.project.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.image.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.image.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.containerized\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"elastic_agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.snapshot\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.ingested\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.hosts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.api\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BitlockerUserInputTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BootMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BootType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BuildVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CorruptionActionState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Detail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriverName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriverNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DwordVal\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.EntryCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ExtraInfo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FileVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IdleImplementation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IdleStateCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LastBootGood\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LastShutdownGood\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MajorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MaximumPerformancePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MemberName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MemberSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinimumPerformancePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinimumThrottlePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSchemeGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NominalFrequency\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSchemeGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OriginalFileName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PerformanceImplementation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessPid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PuaCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PuaPolicyId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.QfeVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ScriptBlockText\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownActionType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownEventCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StartTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StopTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TSId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetInfo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetLogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetServerName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TokenElevationType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.channel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.record_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.sub_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessGranted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessListDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessRemoved\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountDomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountExpires\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditPolicyChanges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditPolicyChangesDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditSourceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CallerProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ClientAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ClientName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CrashOnAuditFailValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DisplayName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainBehaviorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainPolicyChanged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Dummy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.EventSourceId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.GroupTypeChange\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HandleId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HomeDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HomePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.KerberosPolicyChange\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonHours\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MachineAccountQuota\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MandatoryLabel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MixedDomainMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewUACList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewUacValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectServer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OemInformation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldUacValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PasswordLastSet\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PasswordHistoryLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ParentProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreAuthType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PrimaryGroupId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProfilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ResourceAttributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SamAccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ScriptPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SidHistory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceStartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SessionName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SidFilteringEnabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StatusDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategoryGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubcategoryGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubcategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoAttributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoDirection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketEncryptionType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketEncryptionTypeDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketOptions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketOptionsDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserAccountControl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserParameters\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserPrincipalName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserWorkstations\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.time_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustAttribute\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustDirection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.BackupPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.Channel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"completed_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.comment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"started_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.action_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.completed_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data.comment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"EndpointActions.started_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.stack_trace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"expiration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.expiration\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.input_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Events\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.artifacts.global\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.cross_session\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.parent_to_child\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.self_injection\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.thread_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.unique_key_v1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.data\",\"type\":\"binary\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Ransomware.child_processes.files.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.original.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Ransomware.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.data\",\"type\":\"binary\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Ransomware.files.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.original.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action.field\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.action.state\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.result\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Target.dll.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.ancestry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.authentication_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.memory_region.bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.real.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.instruction_pointer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.module_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.rva\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.symbol_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_summary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.parameter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.parameter_bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.thread.Ext.parameter_bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes_disasm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes_disasm_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dll.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.risk_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.code_page\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors.error_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.file_extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.raw_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.raw_code_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext.variant\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.ancestry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.authentication_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.memory_region.bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.instruction_pointer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.module_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.rva\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.symbol_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_summary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.parameter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.parameter_bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.thread.Ext.parameter_bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes_disasm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes_disasm_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.author\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.license\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.ruleset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.organization.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.confidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.email.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.first_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.last_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.marking.tlp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.modified_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.scanner_stats\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.sightings\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.fragment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.original.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.scheme\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.alternative_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.not_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.not_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"threat.enrichments.indicator.x509.public_key_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.signature_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.version_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.atomic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.field\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.framework\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.alias\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.organization.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.confidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.email.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.first_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.last_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.marking.tlp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.modified_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.scanner_stats\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.sightings\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.fragment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.original.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.scheme\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.alternative_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.not_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.not_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"threat.indicator.x509.public_key_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.signature_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.version_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.platforms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.technique.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"user.group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"event.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.Ext.correlation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.Ext.correlation.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.defense_evasions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.load_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext.options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext.status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.content\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"http.request.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.Ext.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.content\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"http.response.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.iana_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"package.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.defense_evasions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.security_attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"logs-*"},"coreMigrationVersion":"7.16.2","id":"logs-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,2902],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDk2LDE1XQ=="} -{"attributes":{"allowNoIndex":true,"fieldFormatMap":"{\"system.process.memory.size\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.cache.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.mapped_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss_huge.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.swap.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.unevictable.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.blkio.total.bytes\":{\"id\":\"bytes\"},\"system.core.user.pct\":{\"id\":\"percent\"},\"system.core.system.pct\":{\"id\":\"percent\"},\"system.core.nice.pct\":{\"id\":\"percent\"},\"system.core.idle.pct\":{\"id\":\"percent\"},\"system.core.iowait.pct\":{\"id\":\"percent\"},\"system.core.irq.pct\":{\"id\":\"percent\"},\"system.core.softirq.pct\":{\"id\":\"percent\"},\"system.core.steal.pct\":{\"id\":\"percent\"},\"host.disk.read.bytes\":{\"id\":\"bytes\"},\"host.disk.write.bytes\":{\"id\":\"bytes\"},\"system.diskio.read.bytes\":{\"id\":\"bytes\"},\"system.diskio.write.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.read.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.write.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.request.avg_size\":{\"id\":\"bytes\"},\"host.cpu.pct\":{\"id\":\"percent\"},\"system.cpu.user.pct\":{\"id\":\"percent\"},\"system.cpu.system.pct\":{\"id\":\"percent\"},\"system.cpu.nice.pct\":{\"id\":\"percent\"},\"system.cpu.idle.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.pct\":{\"id\":\"percent\"},\"system.cpu.irq.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.pct\":{\"id\":\"percent\"},\"system.cpu.steal.pct\":{\"id\":\"percent\"},\"system.cpu.total.pct\":{\"id\":\"percent\"},\"system.cpu.user.norm.pct\":{\"id\":\"percent\"},\"system.cpu.system.norm.pct\":{\"id\":\"percent\"},\"system.cpu.nice.norm.pct\":{\"id\":\"percent\"},\"system.cpu.idle.norm.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.norm.pct\":{\"id\":\"percent\"},\"system.cpu.irq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.steal.norm.pct\":{\"id\":\"percent\"},\"system.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.filesystem.available\":{\"id\":\"bytes\"},\"system.filesystem.free\":{\"id\":\"bytes\"},\"system.filesystem.total\":{\"id\":\"bytes\"},\"system.filesystem.used.bytes\":{\"id\":\"bytes\"},\"system.filesystem.used.pct\":{\"id\":\"percent\"},\"process.cpu.pct\":{\"id\":\"percent\"},\"process.memory.pct\":{\"id\":\"percent\"},\"system.process.cpu.total.pct\":{\"id\":\"percent\"},\"system.process.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.process.memory.rss.bytes\":{\"id\":\"bytes\"},\"system.process.memory.rss.pct\":{\"id\":\"percent\"},\"system.process.memory.share\":{\"id\":\"bytes\"},\"system.process.cgroup.cpu.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.total\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.memory.mem.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.io.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.socket.summary.tcp.memory\":{\"id\":\"bytes\"},\"system.socket.summary.udp.memory\":{\"id\":\"bytes\"},\"system.fsstat.total_size.free\":{\"id\":\"bytes\"},\"system.fsstat.total_size.used\":{\"id\":\"bytes\"},\"system.fsstat.total_size.total\":{\"id\":\"bytes\"},\"system.memory.total\":{\"id\":\"bytes\"},\"system.memory.used.bytes\":{\"id\":\"bytes\"},\"system.memory.free\":{\"id\":\"bytes\"},\"system.memory.used.pct\":{\"id\":\"percent\"},\"system.memory.actual.used.bytes\":{\"id\":\"bytes\"},\"system.memory.actual.free\":{\"id\":\"bytes\"},\"system.memory.actual.used.pct\":{\"id\":\"percent\"},\"system.memory.swap.total\":{\"id\":\"bytes\"},\"system.memory.swap.used.bytes\":{\"id\":\"bytes\"},\"system.memory.swap.free\":{\"id\":\"bytes\"},\"system.memory.swap.used.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.pgscan_kswapd.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgscan_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgfree.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_kswapd.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.direct_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.kswapd_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.hugepages.total\":{\"id\":\"number\"},\"system.memory.hugepages.used.bytes\":{\"id\":\"bytes\"},\"system.memory.hugepages.used.pct\":{\"id\":\"percent\"},\"system.memory.hugepages.free\":{\"id\":\"number\"},\"system.memory.hugepages.reserved\":{\"id\":\"number\"},\"system.memory.hugepages.surplus\":{\"id\":\"number\"},\"system.memory.hugepages.default_size\":{\"id\":\"bytes\"},\"host.network.in.bytes\":{\"id\":\"bytes\"},\"host.network.out.bytes\":{\"id\":\"bytes\"},\"system.network.out.bytes\":{\"id\":\"bytes\"},\"system.network.in.bytes\":{\"id\":\"bytes\"},\"system.uptime.duration.ms\":{\"id\":\"duration\"},\"event.sequence\":{\"id\":\"string\"},\"event.severity\":{\"id\":\"string\"}}","fields":"[{\"name\":\"cloud.account.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.machine.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.project.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.image.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.image.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.containerized\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.acked\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.active\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.batches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.duplicates\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.failed\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.toomany\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.write.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.snapshot\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.value\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.user.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.system.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.open\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.limit.soft\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.limit.hard\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.quota.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.shares\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.rt.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.rt.runtime.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.percpu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.active_anon.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.active_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.cache.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.inactive_anon.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.inactive_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.mapped_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.page_faults\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.major_page_faults\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.pages_in\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.pages_out\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.rss.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.rss_huge.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.swap.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.unevictable.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.total.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.total.ios\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.cpu.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.system.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.value\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.user.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.info.ephemeral_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.info.uptime.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.cfs.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.cfs.quota.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.throttled.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.throttled.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpuacct.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpuacct.total.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.mem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.mem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.gc_next\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.memory.alloc\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.memory.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.rss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.open\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.limit.hard\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.limit.soft\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.uptime.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.runtime.goroutines\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.clients\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.queue.acked\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.active\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.failed\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.filtered\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.published\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.retry\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.running\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.starts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.stops\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.read.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.cpu.usage\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.disk.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.disk.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.egress.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.egress.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.ingress.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.ingress.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.nice.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.nice.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.idle.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.idle.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.iowait.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.iowait.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.irq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.irq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.softirq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.softirq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.steal.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.steal.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.io.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.request.merges_per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.request.merges_per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.request.per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.request.per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.per_sec.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.per_sec.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.request.avg_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.queue.avg_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.service_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.busy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.cpu.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.available\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.mount_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.free_files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.cpu.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.cpu.start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.memory.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.digest_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.digest_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cmdline\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.env\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.rss.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.rss.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.share\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cgroups_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.low.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.high.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.low\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.high\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.max\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.oom\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.oom_kill\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.fail\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.low.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.high.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.low\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.high\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.max\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.oom\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.oom_kill\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.fail\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.*.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*.ios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.all.listening\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.orphan\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.listening\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.established\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.close_wait\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.time_wait\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.syn_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.syn_recv\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.fin_wait1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.fin_wait2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.last_ack\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.closing\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.udp.memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.udp.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.used\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.out.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.in.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.readahead.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.readahead.cached\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgscan_kswapd.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgscan_direct.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgfree.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgsteal_kswapd.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgsteal_direct.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.direct_efficiency.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.kswapd_efficiency.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.reserved\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.surplus\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.default_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.swap.out.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.swap.out.fallback\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.running\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.idle\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.sleeping\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.stopped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.zombie\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.dead\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.unknown\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.in.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.in.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.out.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.out.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.uptime.duration.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.5\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.15\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.5\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.15\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.capabilities\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Endpoint.configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.configuration.isolation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.state.isolation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.ingested\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext.variant\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.histogram\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.latest\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.mean\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.disks.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.endpoint_drive\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.fstype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.mount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private.latest\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private.mean\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.system_impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.threads\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.uptime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.uptime.endpoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.uptime.system\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.artifacts.global\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.endpoint_policy_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.behavior_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.behavior_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.host_isolation.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.ransomware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.ransomware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.behavior_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.credential_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.credential_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.malware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.malware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_scan.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_scan.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.ransomware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.ransomware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.build.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]","timeFieldName":"@timestamp","title":"metrics-*"},"coreMigrationVersion":"7.16.2","id":"metrics-*","migrationVersion":{"index-pattern":"7.11.0"},"references":[],"sort":[1643385898421,2830],"type":"index-pattern","updated_at":"2022-01-28T16:04:58.421Z","version":"WzE0NDc2LDE1XQ=="} -{"excludedObjects":[],"excludedObjectsCount":0,"exportedCount":823,"missingRefCount":1,"missingReferences":[{"id":"0b963f20-6f9c-11ec-864c-8b5450f97635","type":"tag"}]} +{"attributes": {"fieldFormatMap": "{\"match_body.source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"match_body.destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_username_override.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.slack_webhook_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.slack_webhook_url.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_info.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert_info.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_sent\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.signature_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._index.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body._type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body._type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lat\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.location.lon\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_hits\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.num_matches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.original_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_ipbytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.respond_ipbytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-sourceip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-sourceip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"match_body.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"match_body.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matches\",\"type\":\"number\",\"count\":3,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":1,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"starttime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"time_taken\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traceback\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traceback.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"until\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "notExpandable": true, "timeFieldName": "@timestamp", "title": "*:elastalert_status*"}, "coreMigrationVersion": "7.16.2", "id": "*:elastalert_status*", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 9], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY0LDE1XQ=="} +{"attributes": {"fieldFormatMap": "{\"_id\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/#/hunt?q=_id%3A{{value}}\",\"labelTemplate\":\"Hunt and optionally pivot to PCAP/Cases\"}},\"uid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"source_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"destination_port\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'source_port:\\\"{{value}}\\\" OR destination_port:\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"fuid\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"resp_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"orig_fuids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"sid\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"port\":{\"id\":\"number\",\"params\":{\"pattern\":\"0.[000]\"}},\"query\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"query.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"server_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"indicator.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"file_ip.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:'\\\"{{value}}\\\"')),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"signature_info\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{rawValue}}\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"highest_registered_domain.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"domain_name.keyword\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"duration\":{\"id\":\"duration\",\"params\":{\"outputFormat\":\"asSeconds\",\"outputPrecision\":6}},\"missed_bytes\":{\"id\":\"bytes\"},\"missing_bytes\":{\"id\":\"bytes\"},\"original_bytes\":{\"id\":\"bytes\"},\"original_ip_bytes\":{\"id\":\"bytes\"},\"overflow_bytes\":{\"id\":\"bytes\"},\"respond_bytes\":{\"id\":\"bytes\"},\"respond_ip_bytes\":{\"id\":\"bytes\"},\"seen_bytes\":{\"id\":\"bytes\"},\"total_bytes\":{\"id\":\"bytes\"},\"rtt\":{\"id\":\"number\",\"params\":{\"pattern\":\"0,0.[0000000]\"}},\"uids\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"/kibana/app/dashboards#/view/68563ed0-34bf-11e7-9b32-bb903919ead9?_g=(refreshInterval:(display:Off,pause:!f,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(columns:!(_source),index:'*:logstash-*',interval:auto,query:(query_string:(analyze_wildcard:!t,query:{{value}})),sort:!('@timestamp',desc))\",\"labelTemplate\":\"{{value}}\"}},\"osquery.LiveQuery\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"LiveQuery\"}},\"TheHive\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"\",\"labelTemplate\":\"Add2Hive\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"@version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ack\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ack.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints.path_len\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat_host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"beat_host.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_fqdn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_fqdn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.arch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.arch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.dpkg_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.dpkg_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.package\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.package.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.args.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.cmd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.egroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.egroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.euser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.euser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.fgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.fgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.nlwp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.nlwp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pgrp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pgrp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ppid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.processor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.processor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.resident\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.resident.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.rgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.rgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.ruser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.ruser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.session.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.sgroup\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.sgroup.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.share\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.share.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.start_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.start_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.stime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.stime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.suser\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.suser.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tgid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tgid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.utime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.utime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.process.vm_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.process.vm_size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.architecture.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.format\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.format.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.multiarch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.multiarch.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.section\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.section.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.vendor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.vendor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.program.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.program.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.ftscomment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.ftscomment.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"decoder.parent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"decoder.parent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_iso_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted_cutoff\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted_cutoff.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"framed_addr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"framed_addr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"full_log\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"full_log.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_responses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_responses.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_server_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_server_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hassh_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hassh_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"input.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ecn\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_ecn.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ja3s\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ja3s.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"manager.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"options.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.EndpointIP2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.EndpointIP2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.LiveQuery\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.LiveQuery.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.calendarTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.calendarTime.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.codename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.gid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.gid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.shell.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uid_signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uid_signed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.columns.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.columns.uuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.counter\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.epoch\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hardware_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hardware_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostIdentifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostIdentifier.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.unixTime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"predecoder.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"predecoder.timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prospector.type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_location.country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"respond_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_signature.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sequence_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_dns_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_dns_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_host_key_algorithms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_host_key_algorithms.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_nb_computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_nb_computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_tree_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_tree_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_code3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_code3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.event.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.gname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.gname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.inode_after\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.md5_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.md5_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.mtime_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.mtime_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.perm_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.perm_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha1_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha1_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.sha256_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.sha256_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.size_before\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.size_before.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uid_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uid_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syscheck.uname_after\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syscheck.uname_after.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tcp_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tcp_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"urg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"urg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.firedtimes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gdpr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gdpr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.gpg13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.gpg13.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.groups\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.groups.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.mail\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"wazuh-rule.pci_dss\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"wazuh-rule.pci_dss.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"window\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"window.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"TheHive\",\"type\":\"string\",\"count\":0,\"scripted\":true,\"script\":\"'soctopus/thehive/case/' + doc['_id'].value\",\"lang\":\"painless\",\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false}]", "notExpandable": true, "timeFieldName": "@timestamp", "title": "*:logstash-*"}, "coreMigrationVersion": "7.16.2", "id": "*:logstash-*", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 10], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "Security Onion - Network Data", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Network Data\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Datasets** \\n[Connections](/kibana/app/dashboards#/view/0cc628b0-6e9f-11ea-9266-1fd14ca6af34) | [DCE/RPC](/kibana/app/dashboards#/view/9e882df0-72c5-11ea-8dd2-9d8795a1200b) |\\n[DHCP](/kibana/app/dashboards#/view/80625c10-96dd-11ea-814e-bb515e873c2c) \\n[DNP3](/kibana/app/dashboards#/view/b1f52180-755a-11ea-9565-7315f4ee5cac) | [DNS](/kibana/app/dashboards#/view/55ac6bf0-6ec4-11ea-9266-1fd14ca6af34) |\\n[FTP](/kibana/app/dashboards#/view/739bfad0-755a-11ea-9565-7315f4ee5cac) |\\n[HTTP](/kibana/app/dashboards#/view/44e9c820-6eb1-11ea-9266-1fd14ca6af34) | [Intel](/kibana/app/dashboards#/view/85b529a0-0e5a-11eb-a255-e1e8e85e3571) | [IRC](/kibana/app/dashboards#/view/38523560-75ba-11ea-9565-7315f4ee5cac) |\\n[Kerberos](/kibana/app/dashboards#/view/b207ab90-75bc-11ea-9565-7315f4ee5cac) \\n[Modbus](/kibana/app/dashboards#/view/886a7b90-75bd-11ea-9565-7315f4ee5cac) | \\n[MySQL](/kibana/app/dashboards#/view/c3ced6d0-75be-11ea-9565-7315f4ee5cac) | \\n[NTLM](/kibana/app/dashboards#/view/558292e0-75c1-11ea-9565-7315f4ee5cac) | \\n[PE](/kibana/app/dashboards#/view/94b55b90-c761-11ea-bebb-37c5ab5894ea) |\\n[RADIUS](/kibana/app/dashboards#/view/b9769e60-75c4-11ea-9565-7315f4ee5cac) | [RDP](/kibana/app/dashboards#/view/5b743150-75c5-11ea-9565-7315f4ee5cac) | \\n[RFB](/kibana/app/dashboards#/view/c8b3c360-75c6-11ea-9565-7315f4ee5cac) | [SIP](/kibana/app/dashboards#/view/dd98e260-75c6-11ea-9565-7315f4ee5cac) \\n[SMB](/kibana/app/dashboards#/view/f24d7b80-75c6-11ea-9565-7315f4ee5cac) | [SMTP](/kibana/app/dashboards#/view/00304500-75e7-11ea-9565-7315f4ee5cac) | [SNMP](/kibana/app/dashboards#/view/96522610-75e8-11ea-9565-7315f4ee5cac) | \\n[SSH](/kibana/app/dashboards#/view/9dfd77e0-75eb-11ea-9565-7315f4ee5cac) | [SSL](/kibana/app/dashboards#/view/efae8de0-75eb-11ea-9565-7315f4ee5cac) | [Syslog](/kibana/app/dashboards#/view/66499a20-75ed-11ea-9565-7315f4ee5cac) | [Tunnels](/kibana/app/dashboards#/view/c962dd60-75ed-11ea-9565-7315f4ee5cac) | [X.509](/kibana/app/dashboards#/view/2e0865f0-75ee-11ea-9565-7315f4ee5cac) \\n\"}}"}, "coreMigrationVersion": "7.16.2", "id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 11], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY2LDE1XQ=="} +{"attributes": {"fieldFormatMap": "{\"network.community_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:network.community_id,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(network.community_id:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip:'{{ value }}')),(term:(destination.ip:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.ip:'{{ value }}')),(term:(destination.ip:'{{ value }}')))),meta:(alias:'source.ip:%20!'{{ value }}!'%20OR%20destination.ip:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.ip%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.ip%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"source.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"destination.port\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(('$state':(store:globalState),bool:(should:!((term:(source.port:'{{ value }}')),(term:(destination.port:'{{ value }}')))),meta:(alias:'source.port:%20!'{{ value }}!'%20OR%20destination.port:%20!'{{ value }}!'',disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:bool,negate:!f,type:custom,value:'%7B%22should%22:%5B%7B%22term%22:%7B%22source.port%22:%2210.200.1.153%22%7D%7D,%7B%22term%22:%7B%22destination.port%22:%2210.200.1.153%22%7D%7D%5D%7D'))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:20,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.fuid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.fuid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.fuid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"log.id.uid.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:log.id.uid,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(log.id.uid:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:10,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:15,x:10,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"_id\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/#/hunt?q=_id%3A{{value}}\",\"labelTemplate\":\"Hunt and optionally pivot to PCAP/Cases\"}},\"client.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"server.bytes\":{\"id\":\"bytes\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"event.dataset\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.dataset.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.dataset.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.dataset.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"event.module.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"agent.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:agent.name.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(agent.name.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"rule.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"kibana#/dashboard/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.name:'{{ value }}')))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:''),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"osquery.result.live_query\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"osquery.result.live_query.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"https://PLACEHOLDER/fleet/queries/new?host_uuids={{rawValue}}\",\"labelTemplate\":\"Live Query\"}},\"connection.state_description\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.state_description.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.state_description,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(connection.state_description:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.category\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.category,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.category:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"rule.uuid\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:rule.uuid,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(rule.uuid:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"connection.history.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:connection.history,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(connection.history:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.message_types.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.message_types,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dhcp.message_types:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.requested_address.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.requested_address,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.requested_address:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.assigned_ip.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.assigned_ip,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.assigned_ip:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.mac.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:host.mac,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(host.mac:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dhcp.lease_time\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dhcp.lease_time,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dhcp.lease_time:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.query.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.query.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.query.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.answers.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.answers.name,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(dns.answers.name:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"dns.response.code_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:dns.response.code_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(dns.response.code_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.mime_type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.mime_type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.mime_type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.argument.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.argument,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ftp.argument:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.user.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.user,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.user:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ftp.password.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ftp.password,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ftp.password:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.useragent.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.useragent,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(http.useragent:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.method.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.method,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.method:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.virtual_host.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.virtual_host,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.virtual_host:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"http.uri\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:http.uri.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(http.uri.keyword:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.note\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.note,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.note:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"notice.message\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:notice.message,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(notice.message:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.server_name\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.server_name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(ssl.server_name:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.subject,negate:!f,params:(query:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX'),type:phrase),query:(match_phrase:(ssl.certificate.subject:'O%3DDefault%20Company%20Ltd,L%3DDefault%20City,C%3DXX')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"ssl.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:ssl.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(ssl.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.facility_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.facility_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.facility_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"syslog.severity_label\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:syslog.severity_label,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(syslog.severity_label:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.subject.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.subject,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.subject:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.issuer.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.issuer,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.certificate.issuer:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.san_dns.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.san_dns,negate:!f,params:(query:'{{ value }}'),type:phrase),query:(match_phrase:(x509.san_dns:'{{ value }}')))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"x509.certificate.key.type.keyword\":{\"id\":\"url\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_a=(description:'',filters:!(('$state':(store:appState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:x509.certificate.key.type,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(x509.certificate.key.type:{{ value }})))),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.7.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.7.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:edit)&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-24h,mode:quick,to:now))\",\"labelTemplate\":\"{{ value }}\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"esTypes\":[\"date\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"esTypes\":[\"_id\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"esTypes\":[\"_index\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"esTypes\":[\"_source\"],\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"esTypes\":[\"_type\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.ephemeral_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.ephemeral_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.ephemeral_id\"}}},{\"name\":\"agent.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.hostname\"}}},{\"name\":\"agent.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.id\"}}},{\"name\":\"agent.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.name\"}}},{\"name\":\"agent.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.type\"}}},{\"name\":\"agent.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"agent.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"agent.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"agent.version\"}}},{\"name\":\"client.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.address\"}}},{\"name\":\"client.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.id.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.id.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.id.product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.id.product\"}}},{\"name\":\"client.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.name\"}}},{\"name\":\"client.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.port\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client.user_agent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.user_agent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"client.user_agent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"client.user_agent\"}}},{\"name\":\"connection.bytes.missed\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.history\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.history.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.history.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.history\"}}},{\"name\":\"connection.local.originator\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.local.responder\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.state\"}}},{\"name\":\"connection.state_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection.state_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"connection.state_description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"connection.state_description\"}}},{\"name\":\"data.euid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.euid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.euid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.euid\"}}},{\"name\":\"data.file\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.file.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.file.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.file\"}}},{\"name\":\"data.hardware.cpu_cores\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_cores.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_cores\"}}},{\"name\":\"data.hardware.cpu_cores.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_cores\"}}},{\"name\":\"data.hardware.cpu_mhz\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_mhz.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_mhz\"}}},{\"name\":\"data.hardware.cpu_mhz.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_mhz\"}}},{\"name\":\"data.hardware.cpu_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.cpu_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_name\"}}},{\"name\":\"data.hardware.cpu_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.cpu_name\"}}},{\"name\":\"data.hardware.ram_free\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_free.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_free\"}}},{\"name\":\"data.hardware.ram_free.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_free\"}}},{\"name\":\"data.hardware.ram_total\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_total.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_total\"}}},{\"name\":\"data.hardware.ram_total.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_total\"}}},{\"name\":\"data.hardware.ram_usage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.ram_usage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_usage\"}}},{\"name\":\"data.hardware.ram_usage.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.ram_usage\"}}},{\"name\":\"data.hardware.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hardware.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hardware.serial\"}}},{\"name\":\"data.hardware.serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hardware.serial\"}}},{\"name\":\"data.hotfix\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.hotfix.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.hotfix\"}}},{\"name\":\"data.hotfix.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.hotfix\"}}},{\"name\":\"data.logname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.logname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.logname\"}}},{\"name\":\"data.logname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.logname\"}}},{\"name\":\"data.netinfo.iface.adapter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.adapter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.adapter\"}}},{\"name\":\"data.netinfo.iface.adapter.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.adapter\"}}},{\"name\":\"data.netinfo.iface.ipv4.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.address\"}}},{\"name\":\"data.netinfo.iface.ipv4.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.address\"}}},{\"name\":\"data.netinfo.iface.ipv4.broadcast\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.broadcast.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.broadcast\"}}},{\"name\":\"data.netinfo.iface.ipv4.broadcast.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.broadcast\"}}},{\"name\":\"data.netinfo.iface.ipv4.dhcp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.dhcp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv4.dhcp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv4.gateway\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.gateway.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv4.gateway.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv4.metric\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.metric.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.metric\"}}},{\"name\":\"data.netinfo.iface.ipv4.metric.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.metric\"}}},{\"name\":\"data.netinfo.iface.ipv4.netmask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv4.netmask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv4.netmask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv4.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv6.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.address\"}}},{\"name\":\"data.netinfo.iface.ipv6.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.address\"}}},{\"name\":\"data.netinfo.iface.ipv6.dhcp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.dhcp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv6.dhcp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.dhcp\"}}},{\"name\":\"data.netinfo.iface.ipv6.gateway\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.gateway.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv6.gateway.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.gateway\"}}},{\"name\":\"data.netinfo.iface.ipv6.metric\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.metric.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.metric\"}}},{\"name\":\"data.netinfo.iface.ipv6.metric.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.metric\"}}},{\"name\":\"data.netinfo.iface.ipv6.netmask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.ipv6.netmask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.netmask\"}}},{\"name\":\"data.netinfo.iface.ipv6.netmask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.ipv6.netmask\"}}},{\"name\":\"data.netinfo.iface.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mac\"}}},{\"name\":\"data.netinfo.iface.mac.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mac\"}}},{\"name\":\"data.netinfo.iface.mtu\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.mtu.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mtu\"}}},{\"name\":\"data.netinfo.iface.mtu.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.mtu\"}}},{\"name\":\"data.netinfo.iface.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.name\"}}},{\"name\":\"data.netinfo.iface.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.name\"}}},{\"name\":\"data.netinfo.iface.rx_bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_bytes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_bytes\"}}},{\"name\":\"data.netinfo.iface.rx_bytes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_bytes\"}}},{\"name\":\"data.netinfo.iface.rx_dropped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_dropped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_dropped\"}}},{\"name\":\"data.netinfo.iface.rx_dropped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_dropped\"}}},{\"name\":\"data.netinfo.iface.rx_errors\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_errors.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_errors\"}}},{\"name\":\"data.netinfo.iface.rx_errors.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_errors\"}}},{\"name\":\"data.netinfo.iface.rx_packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.rx_packets.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_packets\"}}},{\"name\":\"data.netinfo.iface.rx_packets.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.rx_packets\"}}},{\"name\":\"data.netinfo.iface.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.state\"}}},{\"name\":\"data.netinfo.iface.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.state\"}}},{\"name\":\"data.netinfo.iface.tx_bytes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_bytes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_bytes\"}}},{\"name\":\"data.netinfo.iface.tx_bytes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_bytes\"}}},{\"name\":\"data.netinfo.iface.tx_dropped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_dropped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_dropped\"}}},{\"name\":\"data.netinfo.iface.tx_dropped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_dropped\"}}},{\"name\":\"data.netinfo.iface.tx_errors\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_errors.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_errors\"}}},{\"name\":\"data.netinfo.iface.tx_errors.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_errors\"}}},{\"name\":\"data.netinfo.iface.tx_packets\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.tx_packets.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_packets\"}}},{\"name\":\"data.netinfo.iface.tx_packets.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.tx_packets\"}}},{\"name\":\"data.netinfo.iface.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.netinfo.iface.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.type\"}}},{\"name\":\"data.netinfo.iface.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.netinfo.iface.type\"}}},{\"name\":\"data.os.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.architecture\"}}},{\"name\":\"data.os.architecture.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.architecture\"}}},{\"name\":\"data.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.build\"}}},{\"name\":\"data.os.build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.build\"}}},{\"name\":\"data.os.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.hostname\"}}},{\"name\":\"data.os.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.hostname\"}}},{\"name\":\"data.os.major\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.major.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.major\"}}},{\"name\":\"data.os.major.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.major\"}}},{\"name\":\"data.os.minor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.minor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.minor\"}}},{\"name\":\"data.os.minor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.minor\"}}},{\"name\":\"data.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.name\"}}},{\"name\":\"data.os.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.name\"}}},{\"name\":\"data.os.os_release\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.os_release.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.os_release\"}}},{\"name\":\"data.os.os_release.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.os_release\"}}},{\"name\":\"data.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.platform\"}}},{\"name\":\"data.os.platform.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.platform\"}}},{\"name\":\"data.os.release\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.release\"}}},{\"name\":\"data.os.release.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.release\"}}},{\"name\":\"data.os.release_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.release_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.release_version\"}}},{\"name\":\"data.os.release_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.release_version\"}}},{\"name\":\"data.os.sysname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.sysname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.sysname\"}}},{\"name\":\"data.os.sysname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.sysname\"}}},{\"name\":\"data.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.os.version\"}}},{\"name\":\"data.os.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.os.version\"}}},{\"name\":\"data.port.inode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.inode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.inode\"}}},{\"name\":\"data.port.inode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.inode\"}}},{\"name\":\"data.port.local_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.local_ip\"}}},{\"name\":\"data.port.local_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.local_ip\"}}},{\"name\":\"data.port.local_port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.local_port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.local_port\"}}},{\"name\":\"data.port.local_port.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.local_port\"}}},{\"name\":\"data.port.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.pid\"}}},{\"name\":\"data.port.pid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.pid\"}}},{\"name\":\"data.port.process\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.process.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.process\"}}},{\"name\":\"data.port.process.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.process\"}}},{\"name\":\"data.port.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.protocol\"}}},{\"name\":\"data.port.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.protocol\"}}},{\"name\":\"data.port.remote_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_ip\"}}},{\"name\":\"data.port.remote_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_ip\"}}},{\"name\":\"data.port.remote_port\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.remote_port.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_port\"}}},{\"name\":\"data.port.remote_port.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.remote_port\"}}},{\"name\":\"data.port.rx_queue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.rx_queue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.rx_queue\"}}},{\"name\":\"data.port.rx_queue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.rx_queue\"}}},{\"name\":\"data.port.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.state\"}}},{\"name\":\"data.port.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.state\"}}},{\"name\":\"data.port.tx_queue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.port.tx_queue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.port.tx_queue\"}}},{\"name\":\"data.port.tx_queue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.port.tx_queue\"}}},{\"name\":\"data.pwd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.pwd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.pwd.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.pwd\"}}},{\"name\":\"data.srcuser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.srcuser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.srcuser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.srcuser\"}}},{\"name\":\"data.title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.title.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.title\"}}},{\"name\":\"data.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.tty.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.tty\"}}},{\"name\":\"data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.type\"}}},{\"name\":\"data.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"data.uid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"data.uid\"}}},{\"name\":\"dce_rpc.endpoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.endpoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.endpoint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.endpoint\"}}},{\"name\":\"dce_rpc.named_pipe\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.named_pipe.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.named_pipe.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.named_pipe\"}}},{\"name\":\"dce_rpc.operation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dce_rpc.operation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"dce_rpc.operation.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dce_rpc.operation\"}}},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.city_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.city_name\"}}},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.continent_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.continent_name\"}}},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_iso_code\"}}},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.country_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.country_name\"}}},{\"name\":\"destination.geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_iso_code\"}}},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.region_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.region_name\"}}},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.geo.timezone.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"destination.geo.timezone\"}}},{\"name\":\"destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.assigned_ip\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.assigned_ip.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.assigned_ip.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.assigned_ip\"}}},{\"name\":\"dhcp.lease_time\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dhcp.message_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.message_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.message_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.message_types\"}}},{\"name\":\"dhcp.requested_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dhcp.requested_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dhcp.requested_address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dhcp.requested_address\"}}},{\"name\":\"dnp3.fc_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_reply.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_reply\"}}},{\"name\":\"dnp3.fc_request\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dnp3.fc_request.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.fc_request.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dnp3.fc_request\"}}},{\"name\":\"dnp3.iin\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.answers.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.answers.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.answers.name\"}}},{\"name\":\"dns.answers.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.answers.name\"}}},{\"name\":\"dns.authoritative\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.highest_registered_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.highest_registered_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.highest_registered_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.highest_registered_domain\"}}},{\"name\":\"dns.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.parent_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.parent_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.parent_domain\"}}},{\"name\":\"dns.parent_domain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.class_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.class_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.class_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.class_name\"}}},{\"name\":\"dns.query.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.name\"}}},{\"name\":\"dns.query.rejected\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.query.type_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.query.type_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.query.type_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.query.type_name\"}}},{\"name\":\"dns.recursion.available\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.recursion.desired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.reserved\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.response.code_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.response.code_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.response.code_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.response.code_name\"}}},{\"name\":\"dns.subdomain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.subdomain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.subdomain\"}}},{\"name\":\"dns.subdomain_length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.top_level_domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dns.top_level_domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.top_level_domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"dns.top_level_domain\"}}},{\"name\":\"dns.truncated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.ttls\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ecs.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"ecs.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ecs.version\"}}},{\"name\":\"error.reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"error.reason.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"error.reason\"}}},{\"name\":\"event.acknowledged\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.action\"}}},{\"name\":\"event.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.category\"}}},{\"name\":\"event.code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.code\"}}},{\"name\":\"event.code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.code\"}}},{\"name\":\"event.created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.created.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.created\"}}},{\"name\":\"event.dataset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.dataset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.dataset.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.dataset\"}}},{\"name\":\"event.duration\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.escalated\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.kind.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.kind.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.kind\"}}},{\"name\":\"event.module\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.module.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.module.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.module\"}}},{\"name\":\"event.provider\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.provider.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.provider.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.provider\"}}},{\"name\":\"event.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.severity_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.severity_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.severity_label\"}}},{\"name\":\"event.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"event.timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"event.timestamp\"}}},{\"name\":\"file.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.action\"}}},{\"name\":\"file.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.analyzer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.analyzer\"}}},{\"name\":\"file.aslr\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.missing\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.overflow\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.seen\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.bytes.total\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_integrity\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.compile_timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.compile_timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.compile_timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.compile_timestamp\"}}},{\"name\":\"file.debug_data\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.dep\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.description\"}}},{\"name\":\"file.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.description\"}}},{\"name\":\"file.extracted.cutoff\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extracted.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.extracted.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.extracted.filename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.extracted.filename\"}}},{\"name\":\"file.flavors.mime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.mime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.mime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.flavors.mime\"}}},{\"name\":\"file.flavors.yara\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.flavors.yara.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.flavors.yara.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.flavors.yara\"}}},{\"name\":\"file.is_64bit\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_exe\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.is_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.local_orig\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.machine\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.machine.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.machine.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.machine\"}}},{\"name\":\"file.mime_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mime_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mime_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.mime_type\"}}},{\"name\":\"file.mimetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.mimetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.mimetype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.mimetype\"}}},{\"name\":\"file.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.name\"}}},{\"name\":\"file.orig_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_filenames.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.orig_filenames\"}}},{\"name\":\"file.orig_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.orig_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.orig_mime_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.orig_mime_types\"}}},{\"name\":\"file.os\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.os.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.os.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.os\"}}},{\"name\":\"file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.path\"}}},{\"name\":\"file.resp_filenames\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_filenames.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_filenames.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.resp_filenames\"}}},{\"name\":\"file.resp_mime_types\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.resp_mime_types.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.resp_mime_types.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.resp_mime_types\"}}},{\"name\":\"file.scanners\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.scanners.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.scanners.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.scanners\"}}},{\"name\":\"file.section_names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.section_names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.section_names.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.section_names\"}}},{\"name\":\"file.seh\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.source.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.source\"}}},{\"name\":\"file.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.subsystem\"}}},{\"name\":\"file.table.cert\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.export\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.table.import\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.target\"}}},{\"name\":\"file.target.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.target\"}}},{\"name\":\"file.timed_out\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.times_accessed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_accessed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_accessed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_accessed\"}}},{\"name\":\"file.times_changed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_changed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_changed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_changed\"}}},{\"name\":\"file.times_created\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_created.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_created.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_created\"}}},{\"name\":\"file.times_modified\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.times_modified.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.times_modified.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.times_modified\"}}},{\"name\":\"file.tree.node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.node.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.node\"}}},{\"name\":\"file.tree.parent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.parent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.parent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.parent\"}}},{\"name\":\"file.tree.root\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.tree.root.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"file.tree.root.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"file.tree.root\"}}},{\"name\":\"ftp.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.argument.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.argument\"}}},{\"name\":\"ftp.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.command\"}}},{\"name\":\"ftp.data_channel_destination.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_destination.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_passive\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.data_channel_source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp.password\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.password.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.password.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.password\"}}},{\"name\":\"ftp.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"ftp.user.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ftp.user\"}}},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hash.hassh\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.hassh.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.hassh.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.hassh\"}}},{\"name\":\"hash.ja3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ja3\"}}},{\"name\":\"hash.ja3s\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ja3s.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.ja3s.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ja3s\"}}},{\"name\":\"hash.md5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.md5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.md5.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.md5\"}}},{\"name\":\"hash.sha1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.sha1\"}}},{\"name\":\"hash.sha256\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.sha256.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.sha256.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.sha256\"}}},{\"name\":\"hash.ssdeep\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hash.ssdeep.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"hash.ssdeep.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"hash.ssdeep\"}}},{\"name\":\"host.architecture\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.architecture.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.architecture.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.architecture\"}}},{\"name\":\"host.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.domain\"}}},{\"name\":\"host.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.hostname\"}}},{\"name\":\"host.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.id\"}}},{\"name\":\"host.mac\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.mac.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.mac.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.mac\"}}},{\"name\":\"host.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.name\"}}},{\"name\":\"host.os.build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.build\"}}},{\"name\":\"host.os.family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.family.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.family\"}}},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.kernel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.kernel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.kernel\"}}},{\"name\":\"host.os.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.name\"}}},{\"name\":\"host.os.platform\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.platform.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.platform.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.platform\"}}},{\"name\":\"host.os.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.os.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.os.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.os.version\"}}},{\"name\":\"host.syscheck.changed_attributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.changed_attributes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.changed_attributes\"}}},{\"name\":\"host.syscheck.changed_attributes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.changed_attributes\"}}},{\"name\":\"host.syscheck.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.event.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.event\"}}},{\"name\":\"host.syscheck.gid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gid_after\"}}},{\"name\":\"host.syscheck.gname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.gname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.gname_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.gname_after\"}}},{\"name\":\"host.syscheck.inode_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.syscheck.md5_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_after\"}}},{\"name\":\"host.syscheck.md5_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.md5_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.md5_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.md5_before\"}}},{\"name\":\"host.syscheck.mode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mode\"}}},{\"name\":\"host.syscheck.mode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mode\"}}},{\"name\":\"host.syscheck.mtime_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_after\"}}},{\"name\":\"host.syscheck.mtime_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.mtime_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.mtime_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.mtime_before\"}}},{\"name\":\"host.syscheck.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.path\"}}},{\"name\":\"host.syscheck.perm_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.perm_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.perm_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.perm_after\"}}},{\"name\":\"host.syscheck.sha1_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_after\"}}},{\"name\":\"host.syscheck.sha1_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha1_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha1_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha1_before\"}}},{\"name\":\"host.syscheck.sha256_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_after\"}}},{\"name\":\"host.syscheck.sha256_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.sha256_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.sha256_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.sha256_before\"}}},{\"name\":\"host.syscheck.size_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_after\"}}},{\"name\":\"host.syscheck.size_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.size_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.size_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.size_before\"}}},{\"name\":\"host.syscheck.uid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uid_after\"}}},{\"name\":\"host.syscheck.uname_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.syscheck.uname_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"host.syscheck.uname_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"host.syscheck.uname_after\"}}},{\"name\":\"http.info_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.info_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.info_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.info_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.info_message\"}}},{\"name\":\"http.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.method\"}}},{\"name\":\"http.proxied\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.proxied.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.proxied.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.proxied\"}}},{\"name\":\"http.referrer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.referrer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.referrer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.referrer\"}}},{\"name\":\"http.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.status_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.status_message\"}}},{\"name\":\"http.trans_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.uri.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.uri\"}}},{\"name\":\"http.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.useragent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.useragent\"}}},{\"name\":\"http.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.version\"}}},{\"name\":\"http.virtual_host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"http.virtual_host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"http.virtual_host.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"http.virtual_host\"}}},{\"name\":\"ingest.timestamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ingest.timestamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"ingest.timestamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ingest.timestamp\"}}},{\"name\":\"intel.indicator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.indicator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.indicator\"}}},{\"name\":\"intel.indicator_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.indicator_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.indicator_type\"}}},{\"name\":\"intel.indicator_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.indicator_type\"}}},{\"name\":\"intel.matched\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.matched.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.matched\"}}},{\"name\":\"intel.matched.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.matched\"}}},{\"name\":\"intel.seen_node\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.seen_node.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.seen_node\"}}},{\"name\":\"intel.seen_node.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.seen_node\"}}},{\"name\":\"intel.seen_where\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.seen_where.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.seen_where\"}}},{\"name\":\"intel.seen_where.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.seen_where\"}}},{\"name\":\"intel.sources\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"intel.sources.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"intel.sources\"}}},{\"name\":\"intel.sources.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"intel.sources\"}}},{\"name\":\"irc.command.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.info\"}}},{\"name\":\"irc.command.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.type\"}}},{\"name\":\"irc.command.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.command.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.command.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.command.value\"}}},{\"name\":\"irc.nickname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.nickname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.nickname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.nickname\"}}},{\"name\":\"irc.username\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc.username.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"irc.username.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"irc.username\"}}},{\"name\":\"kerberos.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.client\"}}},{\"name\":\"kerberos.client_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.client_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.client_certificate_subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.client_certificate_subject\"}}},{\"name\":\"kerberos.error_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.error_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.error_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.error_message\"}}},{\"name\":\"kerberos.request_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.request_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.request_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.request_type\"}}},{\"name\":\"kerberos.server_certificate_subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.server_certificate_subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.server_certificate_subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.server_certificate_subject\"}}},{\"name\":\"kerberos.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.service.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.service\"}}},{\"name\":\"kerberos.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.cipher.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.cipher\"}}},{\"name\":\"kerberos.ticket.forwardable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.renewable\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kerberos.ticket.valid.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.from\"}}},{\"name\":\"kerberos.ticket.valid.until\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos.ticket.valid.until.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"kerberos.ticket.valid.until.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"kerberos.ticket.valid.until\"}}},{\"name\":\"log.file.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.file.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.file.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.file.path\"}}},{\"name\":\"log.full\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.full.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.full.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.full\"}}},{\"name\":\"log.id.client_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.client_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.client_certificate_fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.client_certificate_fuid\"}}},{\"name\":\"log.id.fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.fuid\"}}},{\"name\":\"log.id.fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.fuids\"}}},{\"name\":\"log.id.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.id\"}}},{\"name\":\"log.id.orig_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.orig_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.orig_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.orig_fuids\"}}},{\"name\":\"log.id.resp_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.resp_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.resp_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.resp_fuids\"}}},{\"name\":\"log.id.server_certificate_fuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.server_certificate_fuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.server_certificate_fuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.server_certificate_fuid\"}}},{\"name\":\"log.id.tunnel_parents\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.tunnel_parents.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.tunnel_parents.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.tunnel_parents\"}}},{\"name\":\"log.id.uid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.uid\"}}},{\"name\":\"log.id.uids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.id.uids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.id.uids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.id.uids\"}}},{\"name\":\"log.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.level\"}}},{\"name\":\"log.location\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.location.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.location.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.location\"}}},{\"name\":\"log.offset\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.previous_log\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_log.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_log.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.previous_log\"}}},{\"name\":\"log.previous_output\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log.previous_output.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"log.previous_output.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"log.previous_output\"}}},{\"name\":\"manager.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"manager.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"manager.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"manager.name\"}}},{\"name\":\"message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"message\"}}},{\"name\":\"modbus.function\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"modbus.function.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"modbus.function.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"modbus.function\"}}},{\"name\":\"mysql.argument\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.argument.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.argument.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.argument\"}}},{\"name\":\"mysql.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.command\"}}},{\"name\":\"mysql.response\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.response.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.response.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"mysql.response\"}}},{\"name\":\"mysql.rows\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.community_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.community_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.community_id\"}}},{\"name\":\"network.data.decoded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.data.decoded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.data.decoded.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.data.decoded\"}}},{\"name\":\"network.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.protocol\"}}},{\"name\":\"network.transport\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"network.transport.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"network.transport.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"network.transport\"}}},{\"name\":\"notice.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.action\"}}},{\"name\":\"notice.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.message\"}}},{\"name\":\"notice.note\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.note.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.note.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.note\"}}},{\"name\":\"notice.p\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice.peer_description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.peer_description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.peer_description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.peer_description\"}}},{\"name\":\"notice.sub_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.sub_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.sub_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"notice.sub_message\"}}},{\"name\":\"notice.suppress_for\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm.server.dns.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.dns.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.dns.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.dns.name\"}}},{\"name\":\"ntlm.server.nb.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.nb.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.nb.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.nb.name\"}}},{\"name\":\"ntlm.server.tree.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm.server.tree.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.server.tree.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ntlm.server.tree.name\"}}},{\"name\":\"ntlm.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"observer.analyzer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.analyzer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.analyzer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.analyzer\"}}},{\"name\":\"observer.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"observer.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"observer.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"observer.name\"}}},{\"name\":\"osquery.result.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.action\"}}},{\"name\":\"osquery.result.calendarTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.calendarTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendarTime\"}}},{\"name\":\"osquery.result.calendarTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.calendarTime\"}}},{\"name\":\"osquery.result.codename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.codename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.codename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.codename\"}}},{\"name\":\"osquery.result.columns.command\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.command.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.command\"}}},{\"name\":\"osquery.result.columns.command.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.command\"}}},{\"name\":\"osquery.result.columns.day_of_month\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.day_of_month.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_month\"}}},{\"name\":\"osquery.result.columns.day_of_month.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_month\"}}},{\"name\":\"osquery.result.columns.day_of_week\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.day_of_week.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_week\"}}},{\"name\":\"osquery.result.columns.day_of_week.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.day_of_week\"}}},{\"name\":\"osquery.result.columns.days\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.days.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.days\"}}},{\"name\":\"osquery.result.columns.days.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.days\"}}},{\"name\":\"osquery.result.columns.event\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.event.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.event\"}}},{\"name\":\"osquery.result.columns.event.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.event\"}}},{\"name\":\"osquery.result.columns.hour\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hour.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hour\"}}},{\"name\":\"osquery.result.columns.hour.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hour\"}}},{\"name\":\"osquery.result.columns.hours\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.hours.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hours\"}}},{\"name\":\"osquery.result.columns.hours.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.hours\"}}},{\"name\":\"osquery.result.columns.minute\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.minute.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minute\"}}},{\"name\":\"osquery.result.columns.minute.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minute\"}}},{\"name\":\"osquery.result.columns.minutes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.minutes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minutes\"}}},{\"name\":\"osquery.result.columns.minutes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.minutes\"}}},{\"name\":\"osquery.result.columns.month\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.month.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.month\"}}},{\"name\":\"osquery.result.columns.month.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.month\"}}},{\"name\":\"osquery.result.columns.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.path\"}}},{\"name\":\"osquery.result.columns.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.path\"}}},{\"name\":\"osquery.result.columns.seconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.seconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.seconds\"}}},{\"name\":\"osquery.result.columns.seconds.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.seconds\"}}},{\"name\":\"osquery.result.columns.total_seconds\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.columns.total_seconds.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.total_seconds\"}}},{\"name\":\"osquery.result.columns.total_seconds.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.columns.total_seconds\"}}},{\"name\":\"osquery.result.counter\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.endpoint_ip1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip1\"}}},{\"name\":\"osquery.result.endpoint_ip2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.endpoint_ip2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.endpoint_ip2.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.endpoint_ip2\"}}},{\"name\":\"osquery.result.epoch\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.hardware_serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hardware_serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.hardware_serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hardware_serial\"}}},{\"name\":\"osquery.result.hostIdentifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostIdentifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostIdentifier\"}}},{\"name\":\"osquery.result.hostIdentifier.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostIdentifier\"}}},{\"name\":\"osquery.result.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.hostname\"}}},{\"name\":\"osquery.result.live_query\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.live_query.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.live_query.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.live_query\"}}},{\"name\":\"osquery.result.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"osquery.result.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"osquery.result.name\"}}},{\"name\":\"osquery.result.numerics\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"osquery.result.unixTime\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.args.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.args\"}}},{\"name\":\"process.args.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.args\"}}},{\"name\":\"process.cmd\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.cmd.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.cmd\"}}},{\"name\":\"process.cmd.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.cmd\"}}},{\"name\":\"process.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.command_line.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.command_line\"}}},{\"name\":\"process.egroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.egroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.egroup\"}}},{\"name\":\"process.egroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.egroup\"}}},{\"name\":\"process.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.entity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.entity_id\"}}},{\"name\":\"process.euser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.euser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.euser\"}}},{\"name\":\"process.euser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.euser\"}}},{\"name\":\"process.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.executable.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.executable\"}}},{\"name\":\"process.fgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.fgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.fgroup\"}}},{\"name\":\"process.fgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.fgroup\"}}},{\"name\":\"process.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.name\"}}},{\"name\":\"process.nice\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.nice.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.nice\"}}},{\"name\":\"process.nice.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.nice\"}}},{\"name\":\"process.nlwp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.nlwp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.nlwp\"}}},{\"name\":\"process.nlwp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.nlwp\"}}},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.command_line.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.command_line.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.command_line\"}}},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.entity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.entity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.entity_id\"}}},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.parent.executable.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.parent.executable.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.parent.executable\"}}},{\"name\":\"process.pe.company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.company\"}}},{\"name\":\"process.pe.company.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.company\"}}},{\"name\":\"process.pe.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.description\"}}},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.file_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.file_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.file_version\"}}},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.original_file_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.original_file_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.original_file_name\"}}},{\"name\":\"process.pe.product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pe.product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pe.product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pe.product\"}}},{\"name\":\"process.pgrp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pgrp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pgrp\"}}},{\"name\":\"process.pgrp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pgrp\"}}},{\"name\":\"process.pid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.pid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.pid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.pid\"}}},{\"name\":\"process.ppid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ppid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.ppid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.ppid\"}}},{\"name\":\"process.priority\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.priority.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.priority\"}}},{\"name\":\"process.priority.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.priority\"}}},{\"name\":\"process.processor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.processor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.processor\"}}},{\"name\":\"process.processor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.processor\"}}},{\"name\":\"process.resident\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.resident.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.resident\"}}},{\"name\":\"process.resident.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.resident\"}}},{\"name\":\"process.rgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.rgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.rgroup\"}}},{\"name\":\"process.rgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.rgroup\"}}},{\"name\":\"process.ruser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.ruser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.ruser\"}}},{\"name\":\"process.ruser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.ruser\"}}},{\"name\":\"process.session\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.session.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.session\"}}},{\"name\":\"process.session.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.session\"}}},{\"name\":\"process.sgroup\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.sgroup.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.sgroup\"}}},{\"name\":\"process.sgroup.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.sgroup\"}}},{\"name\":\"process.share\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.share.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.share\"}}},{\"name\":\"process.share.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.share\"}}},{\"name\":\"process.size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.size.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.size\"}}},{\"name\":\"process.size.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.size\"}}},{\"name\":\"process.start_time\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.start_time.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.start_time\"}}},{\"name\":\"process.start_time.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.start_time\"}}},{\"name\":\"process.state\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.state.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.state\"}}},{\"name\":\"process.state.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.state\"}}},{\"name\":\"process.stime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.stime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.stime\"}}},{\"name\":\"process.stime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.stime\"}}},{\"name\":\"process.suser\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.suser.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.suser\"}}},{\"name\":\"process.suser.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.suser\"}}},{\"name\":\"process.tgid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.tgid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.tgid\"}}},{\"name\":\"process.tgid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.tgid\"}}},{\"name\":\"process.tty\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.tty.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.tty\"}}},{\"name\":\"process.tty.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.tty\"}}},{\"name\":\"process.utime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.utime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.utime\"}}},{\"name\":\"process.utime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.utime\"}}},{\"name\":\"process.vm_size\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.vm_size.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.vm_size\"}}},{\"name\":\"process.vm_size.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.vm_size\"}}},{\"name\":\"process.working_directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.working_directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"process.working_directory.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"process.working_directory\"}}},{\"name\":\"radius.framed_address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.framed_address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.framed_address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.framed_address\"}}},{\"name\":\"radius.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.reply_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.reply_message\"}}},{\"name\":\"radius.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"radius.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"radius.result.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"radius.result\"}}},{\"name\":\"rdp.certificate_count\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_permanent\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.certificate_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.certificate_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.certificate_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.certificate_type\"}}},{\"name\":\"rdp.client_build\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.client_build.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.client_build.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.client_build\"}}},{\"name\":\"rdp.cookie\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.cookie.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.cookie.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.cookie\"}}},{\"name\":\"rdp.desktop.height\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.desktop.width\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rdp.encryption_level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_level\"}}},{\"name\":\"rdp.encryption_method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.encryption_method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.encryption_method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.encryption_method\"}}},{\"name\":\"rdp.keyboard_layout\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.keyboard_layout.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.keyboard_layout.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.keyboard_layout\"}}},{\"name\":\"rdp.requested_color_depth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.requested_color_depth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.requested_color_depth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.requested_color_depth\"}}},{\"name\":\"rdp.result\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.result.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.result.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.result\"}}},{\"name\":\"rdp.security_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rdp.security_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"rdp.security_protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rdp.security_protocol\"}}},{\"name\":\"request.attributes.filename\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.attributes.filename.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.attributes.filename.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.attributes.filename\"}}},{\"name\":\"request.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.client\"}}},{\"name\":\"request.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.id\"}}},{\"name\":\"request.source\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request.source.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.source.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"request.source\"}}},{\"name\":\"request.time\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.action\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.action.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.action.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.action\"}}},{\"name\":\"rule.author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.author\"}}},{\"name\":\"rule.author.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.author\"}}},{\"name\":\"rule.category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.category\"}}},{\"name\":\"rule.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.date\"}}},{\"name\":\"rule.date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.date\"}}},{\"name\":\"rule.description\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.description.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"name\":\"rule.description.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.description\"}}},{\"name\":\"rule.filetype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.filetype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.filetype\"}}},{\"name\":\"rule.filetype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.filetype\"}}},{\"name\":\"rule.firedtimes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gdpr\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gdpr.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gdpr.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.gdpr\"}}},{\"name\":\"rule.gid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.gpg13\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.gpg13.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.gpg13.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.gpg13\"}}},{\"name\":\"rule.groups\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.groups.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.groups.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.groups\"}}},{\"name\":\"rule.hash1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hash1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hash1\"}}},{\"name\":\"rule.hash1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.hash1\"}}},{\"name\":\"rule.hipaa\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.hipaa.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.hipaa.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.hipaa\"}}},{\"name\":\"rule.info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"name\":\"rule.info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.info\"}}},{\"name\":\"rule.level\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.mail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.maltype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.maltype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.maltype\"}}},{\"name\":\"rule.maltype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.maltype\"}}},{\"name\":\"rule.metadata.affected_product\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.affected_product.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.affected_product.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.affected_product\"}}},{\"name\":\"rule.metadata.attack_target\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.attack_target.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.attack_target.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.attack_target\"}}},{\"name\":\"rule.metadata.created_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.created_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.created_at.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.created_at\"}}},{\"name\":\"rule.metadata.deployment\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.deployment.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.deployment.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.deployment\"}}},{\"name\":\"rule.metadata.former_category\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.former_category.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.former_category.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.former_category\"}}},{\"name\":\"rule.metadata.malware_family\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.malware_family.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.malware_family.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.malware_family\"}}},{\"name\":\"rule.metadata.performance_impact\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.performance_impact.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.performance_impact.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.performance_impact\"}}},{\"name\":\"rule.metadata.signature_severity\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.signature_severity.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.signature_severity.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.signature_severity\"}}},{\"name\":\"rule.metadata.tag\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.tag.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.tag.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.tag\"}}},{\"name\":\"rule.metadata.updated_at\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.metadata.updated_at.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.metadata.updated_at.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.metadata.updated_at\"}}},{\"name\":\"rule.mitre.id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"name\":\"rule.mitre.id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.id\"}}},{\"name\":\"rule.mitre.tactic\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.tactic.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"name\":\"rule.mitre.tactic.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.tactic\"}}},{\"name\":\"rule.mitre.technique\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.mitre.technique.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"name\":\"rule.mitre.technique.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.mitre.technique\"}}},{\"name\":\"rule.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.name\"}}},{\"name\":\"rule.nist_800_53\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.nist_800_53.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.nist_800_53.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.nist_800_53\"}}},{\"name\":\"rule.pci_dss\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.pci_dss.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.pci_dss.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.pci_dss\"}}},{\"name\":\"rule.reference\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.reference.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.reference\"}}},{\"name\":\"rule.reference.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.reference\"}}},{\"name\":\"rule.rev\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.rule\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.rule.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.rule.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.rule\"}}},{\"name\":\"rule.ruleset\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.ruleset.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.ruleset\"}}},{\"name\":\"rule.ruleset.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.ruleset\"}}},{\"name\":\"rule.score\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.severity\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.tsc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.tsc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"name\":\"rule.tsc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"rule.tsc\"}}},{\"name\":\"rule.uuid\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.entropy.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.exiftool.About\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.About.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.About.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.About\"}}},{\"name\":\"scan.exiftool.AppVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.AppVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.AppVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.AppVersion\"}}},{\"name\":\"scan.exiftool.Author\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Author.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.Author.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Author\"}}},{\"name\":\"scan.exiftool.BitDepth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BitDepth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BitDepth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BitDepth\"}}},{\"name\":\"scan.exiftool.BuildID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.BuildID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.BuildID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.BuildID\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharCountWithSpaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharCountWithSpaces.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharCountWithSpaces\"}}},{\"name\":\"scan.exiftool.CharacterSet\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CharacterSet.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.CharacterSet.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CharacterSet\"}}},{\"name\":\"scan.exiftool.Characters\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Characters.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.Characters.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Characters\"}}},{\"name\":\"scan.exiftool.CodePage\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodePage.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodePage.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodePage\"}}},{\"name\":\"scan.exiftool.CodeSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CodeSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.CodeSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CodeSize\"}}},{\"name\":\"scan.exiftool.ColorType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ColorType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.ColorType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ColorType\"}}},{\"name\":\"scan.exiftool.Comments\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Comments.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.Comments.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Comments\"}}},{\"name\":\"scan.exiftool.CompObjUserType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserType\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompObjUserTypeLen.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.CompObjUserTypeLen.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompObjUserTypeLen\"}}},{\"name\":\"scan.exiftool.Company\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Company.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.Company.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Company\"}}},{\"name\":\"scan.exiftool.CompanyName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CompanyName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.CompanyName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CompanyName\"}}},{\"name\":\"scan.exiftool.Compression\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Compression.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.Compression.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Compression\"}}},{\"name\":\"scan.exiftool.CreateDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreateDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.CreateDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreateDate\"}}},{\"name\":\"scan.exiftool.Creator\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Creator.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.Creator.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Creator\"}}},{\"name\":\"scan.exiftool.CreatorTool\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.CreatorTool.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.CreatorTool.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.CreatorTool\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromDocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromDocumentID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromDocumentID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DerivedFromInstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.DerivedFromInstanceID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DerivedFromInstanceID\"}}},{\"name\":\"scan.exiftool.Directory\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Directory.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.Directory.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Directory\"}}},{\"name\":\"scan.exiftool.DocumentID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.DocumentID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.DocumentID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.DocumentID\"}}},{\"name\":\"scan.exiftool.EntryPoint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.EntryPoint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.EntryPoint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.EntryPoint\"}}},{\"name\":\"scan.exiftool.Error\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Error.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.Error.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Error\"}}},{\"name\":\"scan.exiftool.ExifToolVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ExifToolVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.ExifToolVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ExifToolVersion\"}}},{\"name\":\"scan.exiftool.FileAccessDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileAccessDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileAccessDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileAccessDate\"}}},{\"name\":\"scan.exiftool.FileDescription\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileDescription.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileDescription.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileDescription\"}}},{\"name\":\"scan.exiftool.FileFlags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlags\"}}},{\"name\":\"scan.exiftool.FileFlagsMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileFlagsMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileFlagsMask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileFlagsMask\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileInodeChangeDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileInodeChangeDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileInodeChangeDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileModifyDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileModifyDate\"}}},{\"name\":\"scan.exiftool.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileName\"}}},{\"name\":\"scan.exiftool.FileOS\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileOS.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FileOS.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileOS\"}}},{\"name\":\"scan.exiftool.FilePermissions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FilePermissions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FilePermissions.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FilePermissions\"}}},{\"name\":\"scan.exiftool.FileSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSize\"}}},{\"name\":\"scan.exiftool.FileSubtype\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileSubtype.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileSubtype.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileSubtype\"}}},{\"name\":\"scan.exiftool.FileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileType\"}}},{\"name\":\"scan.exiftool.FileTypeExtension\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileTypeExtension.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileTypeExtension.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileTypeExtension\"}}},{\"name\":\"scan.exiftool.FileVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersion\"}}},{\"name\":\"scan.exiftool.FileVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.FileVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.FileVersionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.FileVersionNumber\"}}},{\"name\":\"scan.exiftool.Filter\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Filter.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Filter.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Filter\"}}},{\"name\":\"scan.exiftool.Format\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Format.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.Format.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Format\"}}},{\"name\":\"scan.exiftool.HasXFA\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HasXFA.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HasXFA.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HasXFA\"}}},{\"name\":\"scan.exiftool.HeadingPairs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HeadingPairs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HeadingPairs.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HeadingPairs\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.HyperlinksChanged.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.HyperlinksChanged.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.HyperlinksChanged\"}}},{\"name\":\"scan.exiftool.ImageHeight\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageHeight.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageHeight.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageHeight\"}}},{\"name\":\"scan.exiftool.ImageSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageSize\"}}},{\"name\":\"scan.exiftool.ImageVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageVersion\"}}},{\"name\":\"scan.exiftool.ImageWidth\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ImageWidth.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.ImageWidth.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ImageWidth\"}}},{\"name\":\"scan.exiftool.InitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InitializedDataSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InitializedDataSize\"}}},{\"name\":\"scan.exiftool.InstanceID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InstanceID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.InstanceID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InstanceID\"}}},{\"name\":\"scan.exiftool.Interlace\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Interlace.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.Interlace.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Interlace\"}}},{\"name\":\"scan.exiftool.InternalName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.InternalName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.InternalName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.InternalName\"}}},{\"name\":\"scan.exiftool.Keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Keywords.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Keywords\"}}},{\"name\":\"scan.exiftool.Language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.Language.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Language\"}}},{\"name\":\"scan.exiftool.LanguageCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LanguageCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LanguageCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LanguageCode\"}}},{\"name\":\"scan.exiftool.LastModifiedBy\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LastModifiedBy.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LastModifiedBy.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LastModifiedBy\"}}},{\"name\":\"scan.exiftool.LegalCopyright\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalCopyright.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalCopyright.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalCopyright\"}}},{\"name\":\"scan.exiftool.LegalTrademarks\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LegalTrademarks.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.LegalTrademarks.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LegalTrademarks\"}}},{\"name\":\"scan.exiftool.Linearized\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Linearized.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Linearized.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Linearized\"}}},{\"name\":\"scan.exiftool.Lines\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Lines.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.Lines.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Lines\"}}},{\"name\":\"scan.exiftool.LinkerVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinkerVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinkerVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinkerVersion\"}}},{\"name\":\"scan.exiftool.LinksUpToDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.LinksUpToDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.LinksUpToDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.LinksUpToDate\"}}},{\"name\":\"scan.exiftool.MIMEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MIMEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MIMEType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MIMEType\"}}},{\"name\":\"scan.exiftool.MachineType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.MachineType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.MachineType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.MachineType\"}}},{\"name\":\"scan.exiftool.Megapixels\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Megapixels.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.Megapixels.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Megapixels\"}}},{\"name\":\"scan.exiftool.ModifyDate\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ModifyDate.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.ModifyDate.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ModifyDate\"}}},{\"name\":\"scan.exiftool.OSVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OSVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.OSVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OSVersion\"}}},{\"name\":\"scan.exiftool.ObjectFileType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ObjectFileType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.ObjectFileType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ObjectFileType\"}}},{\"name\":\"scan.exiftool.OriginalFileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.OriginalFileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.OriginalFileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.OriginalFileName\"}}},{\"name\":\"scan.exiftool.PDFVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PDFVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PDFVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PDFVersion\"}}},{\"name\":\"scan.exiftool.PEType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PEType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PEType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PEType\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PTEX_Fullbanner.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PTEX_Fullbanner.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PTEX_Fullbanner\"}}},{\"name\":\"scan.exiftool.PageCount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PageCount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.PageCount.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PageCount\"}}},{\"name\":\"scan.exiftool.Pages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Pages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Pages.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Pages\"}}},{\"name\":\"scan.exiftool.Paragraphs\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Paragraphs.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.Paragraphs.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Paragraphs\"}}},{\"name\":\"scan.exiftool.PrivateBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.PrivateBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.PrivateBuild.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.PrivateBuild\"}}},{\"name\":\"scan.exiftool.Producer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Producer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.Producer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Producer\"}}},{\"name\":\"scan.exiftool.ProductName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductName\"}}},{\"name\":\"scan.exiftool.ProductVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersion\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ProductVersionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.ProductVersionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ProductVersionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.RevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.RevisionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.RevisionNumber\"}}},{\"name\":\"scan.exiftool.ScaleCrop\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.ScaleCrop.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.ScaleCrop.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.ScaleCrop\"}}},{\"name\":\"scan.exiftool.Security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Security.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.Security.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Security\"}}},{\"name\":\"scan.exiftool.SharedDoc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SharedDoc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.SharedDoc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SharedDoc\"}}},{\"name\":\"scan.exiftool.Software\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Software.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.Software.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Software\"}}},{\"name\":\"scan.exiftool.SourceFile\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SourceFile.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SourceFile.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SourceFile\"}}},{\"name\":\"scan.exiftool.SpecialBuild\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SpecialBuild.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.SpecialBuild.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SpecialBuild\"}}},{\"name\":\"scan.exiftool.Subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subject\"}}},{\"name\":\"scan.exiftool.Subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.Subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Subsystem\"}}},{\"name\":\"scan.exiftool.SubsystemVersion\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SubsystemVersion.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SubsystemVersion.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SubsystemVersion\"}}},{\"name\":\"scan.exiftool.SvnRevision\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.SvnRevision.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.SvnRevision.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.SvnRevision\"}}},{\"name\":\"scan.exiftool.Template\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Template.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.Template.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Template\"}}},{\"name\":\"scan.exiftool.TimeStamp\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TimeStamp.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.TimeStamp.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TimeStamp\"}}},{\"name\":\"scan.exiftool.Title\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Title.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.Title.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Title\"}}},{\"name\":\"scan.exiftool.TitleOfParts\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TitleOfParts.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TitleOfParts.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TitleOfParts\"}}},{\"name\":\"scan.exiftool.TotalEditTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.TotalEditTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.TotalEditTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.TotalEditTime\"}}},{\"name\":\"scan.exiftool.Trapped\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Trapped.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.Trapped.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Trapped\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.UninitializedDataSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.UninitializedDataSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.UninitializedDataSize\"}}},{\"name\":\"scan.exiftool.Warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Warning.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Warning\"}}},{\"name\":\"scan.exiftool.Words\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.Words.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.Words.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.Words\"}}},{\"name\":\"scan.exiftool.XMPToolkit\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.exiftool.XMPToolkit.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.XMPToolkit.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.exiftool.XMPToolkit\"}}},{\"name\":\"scan.exiftool.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.header.header\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.header.header.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.header.header.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.header.header\"}}},{\"name\":\"scan.ini.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ini.keys.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.name\"}}},{\"name\":\"scan.ini.keys.section\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.section.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.section.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.section\"}}},{\"name\":\"scan.ini.keys.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.keys.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.keys.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.keys.value\"}}},{\"name\":\"scan.ini.sections\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ini.sections.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.ini.sections.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ini.sections\"}}},{\"name\":\"scan.libarchive.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.libarchive.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.mmbot.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.mmbot.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.mmbot.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.mmbot.flags\"}}},{\"name\":\"scan.ocr.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.ole.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.ole.flags\"}}},{\"name\":\"scan.ole.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.ole.total.streams\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pdf.total.objects\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.age\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.debug.guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.guid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.guid\"}}},{\"name\":\"scan.pe.debug.pdb\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.pdb.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.pdb.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.pdb\"}}},{\"name\":\"scan.pe.debug.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.debug.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.debug.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.debug.type\"}}},{\"name\":\"scan.pe.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.file_info.fixed.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.flags\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.operating_systems.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.operating_systems.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.operating_systems\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.fixed.type.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.fixed.type.primary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.fixed.type.primary\"}}},{\"name\":\"scan.pe.file_info.string.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.name\"}}},{\"name\":\"scan.pe.file_info.string.value\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.string.value.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.string.value.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.string.value\"}}},{\"name\":\"scan.pe.file_info.var.character_set\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.character_set.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.character_set.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.character_set\"}}},{\"name\":\"scan.pe.file_info.var.language\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.file_info.var.language.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.file_info.var.language.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.file_info.var.language\"}}},{\"name\":\"scan.pe.flags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.flags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.flags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.flags\"}}},{\"name\":\"scan.pe.header.address.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.data\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.entry_point\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.address.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.file\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.alignment.section\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.characteristics.dll\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.dll.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.dll.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.dll\"}}},{\"name\":\"scan.pe.header.characteristics.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.characteristics.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.characteristics.image.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.characteristics.image\"}}},{\"name\":\"scan.pe.header.checksum\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.machine.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.machine.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.machine.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.machine.type\"}}},{\"name\":\"scan.pe.header.magic.dos\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.dos.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.dos.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.dos\"}}},{\"name\":\"scan.pe.header.magic.image\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.magic.image.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.magic.image.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.magic.image\"}}},{\"name\":\"scan.pe.header.size.code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.initialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.data.uninitialized\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.headers\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.heap.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.commit\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.size.stack.reserve\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.subsystem\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.header.subsystem.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.subsystem.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.header.subsystem\"}}},{\"name\":\"scan.pe.header.timestamp\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.image\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.linker\",\"type\":\"number\",\"esTypes\":[\"float\",\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.operating_system\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.header.version.subsystem\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.imphash\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.imphash.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.imphash.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.imphash\"}}},{\"name\":\"scan.pe.resources.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.resources.language.primary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.primary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.primary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.primary\"}}},{\"name\":\"scan.pe.resources.language.sub\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.language.sub.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.language.sub.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.language.sub\"}}},{\"name\":\"scan.pe.resources.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.name\"}}},{\"name\":\"scan.pe.resources.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.resources.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.resources.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.resources.type\"}}},{\"name\":\"scan.pe.sections.address.physical\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.address.virtual\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.characteristics\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.characteristics.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.characteristics.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.characteristics\"}}},{\"name\":\"scan.pe.sections.entropy\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.sections.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.sections.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.sections.name\"}}},{\"name\":\"scan.pe.sections.size\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.exported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.exported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.exported.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.exported\"}}},{\"name\":\"scan.pe.symbols.imported\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.imported.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.imported.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.imported\"}}},{\"name\":\"scan.pe.symbols.libraries\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.libraries.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.libraries.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.libraries\"}}},{\"name\":\"scan.pe.symbols.table.address\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.symbols.table.library\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.library.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.library.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.library\"}}},{\"name\":\"scan.pe.symbols.table.symbol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbol\"}}},{\"name\":\"scan.pe.symbols.table.symbols\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.symbols.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.symbols.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.symbols\"}}},{\"name\":\"scan.pe.symbols.table.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.pe.symbols.table.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.symbols.table.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.pe.symbols.table.type\"}}},{\"name\":\"scan.pe.total.libraries\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.resources\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.sections\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pe.total.symbols\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.certificates\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.pkcs7.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.upx.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.url.urls\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.url.urls.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.url.urls.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.url.urls\"}}},{\"name\":\"scan.vb.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vb.functions\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.functions.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.functions.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.functions\"}}},{\"name\":\"scan.vb.names\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.names.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.names.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.names\"}}},{\"name\":\"scan.vb.operators\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.operators.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.operators.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.operators\"}}},{\"name\":\"scan.vb.strings\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.strings.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.strings.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.strings\"}}},{\"name\":\"scan.vb.tokens\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vb.tokens.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vb.tokens.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vb.tokens\"}}},{\"name\":\"scan.vba.auto_exec\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.auto_exec.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.auto_exec.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.auto_exec\"}}},{\"name\":\"scan.vba.base64\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.base64.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.base64.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.base64\"}}},{\"name\":\"scan.vba.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.ioc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.ioc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.ioc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.ioc\"}}},{\"name\":\"scan.vba.suspicious\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.vba.suspicious.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.suspicious.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.vba.suspicious\"}}},{\"name\":\"scan.vba.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.vba.total.files\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.expired\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.fingerprint\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.fingerprint.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.fingerprint.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.fingerprint\"}}},{\"name\":\"scan.x509.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.issuer\"}}},{\"name\":\"scan.x509.not_after\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.not_before\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.x509.serial_number\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.serial_number.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.serial_number.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.serial_number\"}}},{\"name\":\"scan.x509.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.x509.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.x509.subject\"}}},{\"name\":\"scan.x509.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.namespaces\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.namespaces.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.namespaces.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.namespaces\"}}},{\"name\":\"scan.xml.tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.tags.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.tags\"}}},{\"name\":\"scan.xml.total.extracted\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.total.tags\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.xml.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.xml.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.xml.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.xml.version\"}}},{\"name\":\"scan.yara.elapsed\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"scan.yara.matches\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"scan.yara.matches.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"scan.yara.matches.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"scan.yara.matches\"}}},{\"name\":\"server.address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.address\"}}},{\"name\":\"server.bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.ip_bytes\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.packets\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.port\",\"type\":\"number\",\"esTypes\":[\"integer\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.reply_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.reply_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.reply_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.reply_message\"}}},{\"name\":\"server.status_code\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server.status_message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.status_message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"server.status_message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"server.status_message\"}}},{\"name\":\"sip.call_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.call_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.call_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.call_id\"}}},{\"name\":\"sip.content_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.content_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.content_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.content_type\"}}},{\"name\":\"sip.date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.date\"}}},{\"name\":\"sip.method\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.method.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.method.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.method\"}}},{\"name\":\"sip.request.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.request.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.from\"}}},{\"name\":\"sip.request.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.path\"}}},{\"name\":\"sip.request.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.request.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.request.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.request.to\"}}},{\"name\":\"sip.response.body.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.response.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.from\"}}},{\"name\":\"sip.response.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.path\"}}},{\"name\":\"sip.response.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.response.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.response.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.response.to\"}}},{\"name\":\"sip.seq\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.seq.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.seq.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.seq\"}}},{\"name\":\"sip.transaction.depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sip.uri\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.uri.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.uri.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.uri\"}}},{\"name\":\"sip.warning\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sip.warning.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"sip.warning.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"sip.warning\"}}},{\"name\":\"smb.file_system\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.file_system.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.file_system.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.file_system\"}}},{\"name\":\"smb.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.path\"}}},{\"name\":\"smb.service\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.service.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.service.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.service\"}}},{\"name\":\"smb.share_type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smb.share_type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smb.share_type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smb.share_type\"}}},{\"name\":\"smtp.cc\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.cc.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.cc.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.cc\"}}},{\"name\":\"smtp.first_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.first_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.first_received.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.first_received\"}}},{\"name\":\"smtp.from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.from\"}}},{\"name\":\"smtp.helo\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.helo.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.helo.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.helo\"}}},{\"name\":\"smtp.in_reply_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.in_reply_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.in_reply_to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.in_reply_to\"}}},{\"name\":\"smtp.is_webmail\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.last_reply\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.last_reply.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.last_reply.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.last_reply\"}}},{\"name\":\"smtp.mail_date\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_date.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_date.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_date\"}}},{\"name\":\"smtp.mail_from\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.mail_from.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.mail_from.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.mail_from\"}}},{\"name\":\"smtp.message_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.message_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.message_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.message_id\"}}},{\"name\":\"smtp.path\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.path.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.path.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.path\"}}},{\"name\":\"smtp.recipient_to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.recipient_to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.recipient_to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.recipient_to\"}}},{\"name\":\"smtp.second_received\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.second_received.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.second_received.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.second_received\"}}},{\"name\":\"smtp.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.subject\"}}},{\"name\":\"smtp.tls\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.to\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.to.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.to.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.to\"}}},{\"name\":\"smtp.transaction_depth\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"smtp.useragent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"smtp.useragent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"smtp.useragent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"smtp.useragent\"}}},{\"name\":\"snmp.community\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.community.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.community.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.community\"}}},{\"name\":\"snmp.display_string\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.display_string.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.display_string.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.display_string\"}}},{\"name\":\"snmp.get.bulk_requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.get.responses\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.set.requests\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"snmp.up_since\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.up_since.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.up_since.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.up_since\"}}},{\"name\":\"snmp.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"snmp.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"snmp.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"snmp.version\"}}},{\"name\":\"socks.bound.host\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.bound.host.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.host.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.bound.host\"}}},{\"name\":\"socks.bound.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.request.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.request.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.request.name\"}}},{\"name\":\"socks.request.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"socks.status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.status.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.status\"}}},{\"name\":\"socks.user\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"socks.user.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.user.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"socks.user\"}}},{\"name\":\"socks.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.name\"}}},{\"name\":\"software.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.type\"}}},{\"name\":\"software.version.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.additional_info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.version.additional_info\"}}},{\"name\":\"software.version.major\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.minor2\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software.version.unparsed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software.version.unparsed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"software.version.unparsed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"software.version.unparsed\"}}},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.city_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.city_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.city_name\"}}},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.continent_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.continent_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.continent_name\"}}},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_iso_code\"}}},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.country_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.country_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.country_name\"}}},{\"name\":\"source.geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lat\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location.lon\",\"type\":\"number\",\"esTypes\":[\"float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_iso_code.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_iso_code.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_iso_code\"}}},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.region_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.region_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.region_name\"}}},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.geo.timezone.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.geo.timezone.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.geo.timezone\"}}},{\"name\":\"source.hostname\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source.hostname.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.hostname.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"source.hostname\"}}},{\"name\":\"source.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"esTypes\":[\"ip\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"esTypes\":[\"geo_point\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"esTypes\":[\"half_float\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.attempts\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.authentication.success\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssh.cipher_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.cipher_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.cipher_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.cipher_algorithm\"}}},{\"name\":\"ssh.client\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.client\"}}},{\"name\":\"ssh.client_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.client_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.client_host_key_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.client_host_key_algorithms\"}}},{\"name\":\"ssh.compression_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.compression_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.compression_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.compression_algorithm\"}}},{\"name\":\"ssh.direction\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.direction.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.direction.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.direction\"}}},{\"name\":\"ssh.hassh_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_algorithms\"}}},{\"name\":\"ssh.hassh_server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server\"}}},{\"name\":\"ssh.hassh_server_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_server_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_server_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_server_algorithms\"}}},{\"name\":\"ssh.hassh_version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.hassh_version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.hassh_version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.hassh_version\"}}},{\"name\":\"ssh.host_key\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key\"}}},{\"name\":\"ssh.host_key_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.host_key_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.host_key_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.host_key_algorithm\"}}},{\"name\":\"ssh.kex_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.kex_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.kex_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.kex_algorithm\"}}},{\"name\":\"ssh.mac_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.mac_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.mac_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.mac_algorithm\"}}},{\"name\":\"ssh.server\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.server\"}}},{\"name\":\"ssh.server_host_key_algorithms\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssh.server_host_key_algorithms.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.server_host_key_algorithms.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssh.server_host_key_algorithms\"}}},{\"name\":\"ssh.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.chain_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.chain_fuids\"}}},{\"name\":\"ssl.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.issuer\"}}},{\"name\":\"ssl.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.certificate.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.certificate.subject\"}}},{\"name\":\"ssl.cipher\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.cipher.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.cipher.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.cipher\"}}},{\"name\":\"ssl.client.certificate.chain_fuids\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.certificate.chain_fuids.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.certificate.chain_fuids.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.certificate.chain_fuids\"}}},{\"name\":\"ssl.client.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.issuer\"}}},{\"name\":\"ssl.client.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.client.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.client.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.client.subject\"}}},{\"name\":\"ssl.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.curve.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.curve\"}}},{\"name\":\"ssl.established\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.last_alert\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.last_alert.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.last_alert.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.last_alert\"}}},{\"name\":\"ssl.next_protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.next_protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.next_protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.next_protocol\"}}},{\"name\":\"ssl.resumed\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ssl.server_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.server_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.server_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.server_name\"}}},{\"name\":\"ssl.validation_status\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.validation_status.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.validation_status.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.validation_status\"}}},{\"name\":\"ssl.version\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ssl.version.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"ssl.version.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"ssl.version\"}}},{\"name\":\"syslog.facility_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.facility_label.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.facility_label\"}}},{\"name\":\"syslog.facility_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"syslog.facility_label\"}}},{\"name\":\"syslog.severity_label\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog.severity_label\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"syslog.severity_label\"}}},{\"name\":\"syslog.severity_label.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"syslog.severity_label\"}}},{\"name\":\"tags\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tags.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tags\"}}},{\"name\":\"tunnel.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"tunnel.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"tunnel.type\"}}},{\"name\":\"user.escalated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.escalated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.escalated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.escalated\"}}},{\"name\":\"user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"user.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"user.name\"}}},{\"name\":\"version.minor3\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.additional_info\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.additional_info.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.additional_info.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.additional_info\"}}},{\"name\":\"weird.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.name\"}}},{\"name\":\"weird.notice\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"weird.peer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"weird.peer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"weird.peer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"weird.peer\"}}},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.activity_id.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.activity_id.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.activity_id\"}}},{\"name\":\"winlog.api\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.api.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.api.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.api\"}}},{\"name\":\"winlog.channel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.channel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.channel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.channel\"}}},{\"name\":\"winlog.computer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer\"}}},{\"name\":\"winlog.computer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.computer\"}}},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.computer_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.computer_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.computer_name\"}}},{\"name\":\"winlog.eventRecordID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.eventRecordID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.eventRecordID\"}}},{\"name\":\"winlog.eventRecordID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.eventRecordID\"}}},{\"name\":\"winlog.eventSourceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.eventSourceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.eventSourceName\"}}},{\"name\":\"winlog.eventSourceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.eventSourceName\"}}},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AccessList.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessList\"}}},{\"name\":\"winlog.event_data.AccessList.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessList\"}}},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AccessMask.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessMask\"}}},{\"name\":\"winlog.event_data.AccessMask.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AccessMask\"}}},{\"name\":\"winlog.event_data.Address\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Address.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.Address.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Address\"}}},{\"name\":\"winlog.event_data.AddressLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.AddressLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.AddressLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.AddressLength\"}}},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Binary.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.Binary.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Binary\"}}},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.CreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.CreationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.CreationUtcTime\"}}},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceName\"}}},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceNameLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceNameLength\"}}},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceTime\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMajor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMajor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMajor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DeviceVersionMinor.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DeviceVersionMinor.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DeviceVersionMinor\"}}},{\"name\":\"winlog.event_data.DirtyPages\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.DirtyPages.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DirtyPages\"}}},{\"name\":\"winlog.event_data.DirtyPages.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.DirtyPages\"}}},{\"name\":\"winlog.event_data.FileName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FileName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FileName\"}}},{\"name\":\"winlog.event_data.FileName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FileName\"}}},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.FinalStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.FinalStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.FinalStatus\"}}},{\"name\":\"winlog.event_data.HandleId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HandleId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HandleId\"}}},{\"name\":\"winlog.event_data.HandleId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HandleId\"}}},{\"name\":\"winlog.event_data.Hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.Hashes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Hashes\"}}},{\"name\":\"winlog.event_data.HiveName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HiveName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveName\"}}},{\"name\":\"winlog.event_data.HiveName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveName\"}}},{\"name\":\"winlog.event_data.HiveNameLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.HiveNameLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveNameLength\"}}},{\"name\":\"winlog.event_data.HiveNameLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.HiveNameLength\"}}},{\"name\":\"winlog.event_data.ImageLoaded\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ImageLoaded.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.ImageLoaded.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ImageLoaded\"}}},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.IntegrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.IntegrityLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.IntegrityLevel\"}}},{\"name\":\"winlog.event_data.KeysUpdated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.KeysUpdated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.KeysUpdated\"}}},{\"name\":\"winlog.event_data.KeysUpdated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.KeysUpdated\"}}},{\"name\":\"winlog.event_data.LinkName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LinkName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LinkName\"}}},{\"name\":\"winlog.event_data.LinkName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LinkName\"}}},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonGuid\"}}},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.LogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.LogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.LogonId\"}}},{\"name\":\"winlog.event_data.NewSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewSize\"}}},{\"name\":\"winlog.event_data.NewSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewSize\"}}},{\"name\":\"winlog.event_data.NewState\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewState.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewState\"}}},{\"name\":\"winlog.event_data.NewState.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewState\"}}},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.NewTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.NewTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.NewTime\"}}},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectName\"}}},{\"name\":\"winlog.event_data.ObjectName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectName\"}}},{\"name\":\"winlog.event_data.ObjectServer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectServer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectServer\"}}},{\"name\":\"winlog.event_data.ObjectServer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectServer\"}}},{\"name\":\"winlog.event_data.ObjectType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ObjectType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectType\"}}},{\"name\":\"winlog.event_data.ObjectType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ObjectType\"}}},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OldTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.OldTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OldTime\"}}},{\"name\":\"winlog.event_data.OriginalSize\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.OriginalSize.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OriginalSize\"}}},{\"name\":\"winlog.event_data.OriginalSize.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.OriginalSize\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousCreationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousCreationUtcTime\"}}},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.PreviousTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.PreviousTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.PreviousTime\"}}},{\"name\":\"winlog.event_data.ProcessID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessID\"}}},{\"name\":\"winlog.event_data.ProcessID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessID\"}}},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessId\"}}},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.ProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ProcessName\"}}},{\"name\":\"winlog.event_data.QueryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryName\"}}},{\"name\":\"winlog.event_data.QueryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryResults.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryResults\"}}},{\"name\":\"winlog.event_data.QueryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.QueryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.QueryStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.QueryStatus\"}}},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Reason.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.Reason.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Reason\"}}},{\"name\":\"winlog.event_data.ResourceAttributes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ResourceAttributes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceAttributes\"}}},{\"name\":\"winlog.event_data.ResourceAttributes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceAttributes\"}}},{\"name\":\"winlog.event_data.ResourceManager\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ResourceManager.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceManager\"}}},{\"name\":\"winlog.event_data.ResourceManager.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ResourceManager\"}}},{\"name\":\"winlog.event_data.RuleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.RuleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.RuleName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.RuleName\"}}},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signature.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.Signature.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signature\"}}},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SignatureStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.SignatureStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SignatureStatus\"}}},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.Signed.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.Signed.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.Signed\"}}},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectDomainName\"}}},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectLogonId\"}}},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.SubjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.SubjectUserSid\"}}},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TerminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TerminalSessionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TerminalSessionId\"}}},{\"name\":\"winlog.event_data.TransactionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.TransactionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TransactionId\"}}},{\"name\":\"winlog.event_data.TransactionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.TransactionId\"}}},{\"name\":\"winlog.event_data.UtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.UtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.UtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.UtcTime\"}}},{\"name\":\"winlog.event_data.authenticationPackageName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.authenticationPackageName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.authenticationPackageName\"}}},{\"name\":\"winlog.event_data.authenticationPackageName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.authenticationPackageName\"}}},{\"name\":\"winlog.event_data.callerProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.callerProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessId\"}}},{\"name\":\"winlog.event_data.callerProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessId\"}}},{\"name\":\"winlog.event_data.callerProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.callerProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessName\"}}},{\"name\":\"winlog.event_data.callerProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.callerProcessName\"}}},{\"name\":\"winlog.event_data.clientProcessId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.clientProcessId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.clientProcessId\"}}},{\"name\":\"winlog.event_data.clientProcessId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.clientProcessId\"}}},{\"name\":\"winlog.event_data.countOfCredentialsReturned\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.countOfCredentialsReturned.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.countOfCredentialsReturned\"}}},{\"name\":\"winlog.event_data.countOfCredentialsReturned.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.countOfCredentialsReturned\"}}},{\"name\":\"winlog.event_data.creationUtcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.creationUtcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.creationUtcTime\"}}},{\"name\":\"winlog.event_data.creationUtcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.creationUtcTime\"}}},{\"name\":\"winlog.event_data.data\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.data.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.data\"}}},{\"name\":\"winlog.event_data.data.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.data\"}}},{\"name\":\"winlog.event_data.destinationIsIpv6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.destinationIsIpv6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationIsIpv6\"}}},{\"name\":\"winlog.event_data.destinationIsIpv6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationIsIpv6\"}}},{\"name\":\"winlog.event_data.destinationPortName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.destinationPortName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationPortName\"}}},{\"name\":\"winlog.event_data.destinationPortName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.destinationPortName\"}}},{\"name\":\"winlog.event_data.details\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.details.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.details\"}}},{\"name\":\"winlog.event_data.details.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.details\"}}},{\"name\":\"winlog.event_data.elevatedToken\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.elevatedToken.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.elevatedToken\"}}},{\"name\":\"winlog.event_data.elevatedToken.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.elevatedToken\"}}},{\"name\":\"winlog.event_data.errorCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.errorCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.errorCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.errorCode\"}}},{\"name\":\"winlog.event_data.eventType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.eventType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.eventType\"}}},{\"name\":\"winlog.event_data.eventType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.eventType\"}}},{\"name\":\"winlog.event_data.hashes\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.hashes.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.hashes\"}}},{\"name\":\"winlog.event_data.hashes.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.hashes\"}}},{\"name\":\"winlog.event_data.imagePath\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.imagePath.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.imagePath\"}}},{\"name\":\"winlog.event_data.imagePath.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.imagePath\"}}},{\"name\":\"winlog.event_data.impersonationLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.impersonationLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.impersonationLevel\"}}},{\"name\":\"winlog.event_data.impersonationLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.impersonationLevel\"}}},{\"name\":\"winlog.event_data.initiated\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.initiated.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.initiated\"}}},{\"name\":\"winlog.event_data.initiated.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.initiated\"}}},{\"name\":\"winlog.event_data.integrityLevel\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.integrityLevel.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.integrityLevel\"}}},{\"name\":\"winlog.event_data.integrityLevel.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.integrityLevel\"}}},{\"name\":\"winlog.event_data.keyLength\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.keyLength.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.keyLength\"}}},{\"name\":\"winlog.event_data.keyLength.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.keyLength\"}}},{\"name\":\"winlog.event_data.logonGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonGuid\"}}},{\"name\":\"winlog.event_data.logonGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonGuid\"}}},{\"name\":\"winlog.event_data.logonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonId\"}}},{\"name\":\"winlog.event_data.logonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonId\"}}},{\"name\":\"winlog.event_data.logonProcessName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonProcessName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonProcessName\"}}},{\"name\":\"winlog.event_data.logonProcessName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonProcessName\"}}},{\"name\":\"winlog.event_data.logonType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.logonType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonType\"}}},{\"name\":\"winlog.event_data.logonType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.logonType\"}}},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param1.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param1.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param1\"}}},{\"name\":\"winlog.event_data.param10\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param10.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param10\"}}},{\"name\":\"winlog.event_data.param10.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param10\"}}},{\"name\":\"winlog.event_data.param11\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param11.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param11\"}}},{\"name\":\"winlog.event_data.param11.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param11\"}}},{\"name\":\"winlog.event_data.param16\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param16.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param16\"}}},{\"name\":\"winlog.event_data.param16.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param16\"}}},{\"name\":\"winlog.event_data.param19\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param19.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param19\"}}},{\"name\":\"winlog.event_data.param19.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param19\"}}},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param2.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param2.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param2\"}}},{\"name\":\"winlog.event_data.param20\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param20.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param20\"}}},{\"name\":\"winlog.event_data.param20.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param20\"}}},{\"name\":\"winlog.event_data.param21\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param21.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param21\"}}},{\"name\":\"winlog.event_data.param21.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param21\"}}},{\"name\":\"winlog.event_data.param22\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param22.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param22\"}}},{\"name\":\"winlog.event_data.param22.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param22\"}}},{\"name\":\"winlog.event_data.param23\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param23.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param23\"}}},{\"name\":\"winlog.event_data.param23.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param23\"}}},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param3.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param3.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param3\"}}},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param4.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param4.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param4\"}}},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param5.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param5.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param5\"}}},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param6\"}}},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param7.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.param7.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param7\"}}},{\"name\":\"winlog.event_data.param8\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param8.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param8\"}}},{\"name\":\"winlog.event_data.param8.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param8\"}}},{\"name\":\"winlog.event_data.param9\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.param9.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param9\"}}},{\"name\":\"winlog.event_data.param9.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.param9\"}}},{\"name\":\"winlog.event_data.privilegeList\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.privilegeList.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.privilegeList\"}}},{\"name\":\"winlog.event_data.privilegeList.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.privilegeList\"}}},{\"name\":\"winlog.event_data.processCreationTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processCreationTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processCreationTime\"}}},{\"name\":\"winlog.event_data.processCreationTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processCreationTime\"}}},{\"name\":\"winlog.event_data.processId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processId\"}}},{\"name\":\"winlog.event_data.processId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processId\"}}},{\"name\":\"winlog.event_data.processName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.processName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processName\"}}},{\"name\":\"winlog.event_data.processName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.processName\"}}},{\"name\":\"winlog.event_data.protocol\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.protocol.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.protocol\"}}},{\"name\":\"winlog.event_data.protocol.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.protocol\"}}},{\"name\":\"winlog.event_data.queryName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryName\"}}},{\"name\":\"winlog.event_data.queryName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryName\"}}},{\"name\":\"winlog.event_data.queryResults\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryResults.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryResults\"}}},{\"name\":\"winlog.event_data.queryResults.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryResults\"}}},{\"name\":\"winlog.event_data.queryStatus\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.queryStatus.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryStatus\"}}},{\"name\":\"winlog.event_data.queryStatus.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.queryStatus\"}}},{\"name\":\"winlog.event_data.readOperation\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.readOperation.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.readOperation\"}}},{\"name\":\"winlog.event_data.readOperation.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.readOperation\"}}},{\"name\":\"winlog.event_data.returnCode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.returnCode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.returnCode\"}}},{\"name\":\"winlog.event_data.returnCode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.returnCode\"}}},{\"name\":\"winlog.event_data.ruleName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.ruleName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ruleName\"}}},{\"name\":\"winlog.event_data.ruleName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.ruleName\"}}},{\"name\":\"winlog.event_data.serviceGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.serviceGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceGuid\"}}},{\"name\":\"winlog.event_data.serviceName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceName\"}}},{\"name\":\"winlog.event_data.serviceName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceName\"}}},{\"name\":\"winlog.event_data.serviceType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.serviceType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceType\"}}},{\"name\":\"winlog.event_data.serviceType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.serviceType\"}}},{\"name\":\"winlog.event_data.sourceIsIpv6\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.sourceIsIpv6.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.sourceIsIpv6\"}}},{\"name\":\"winlog.event_data.sourceIsIpv6.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.sourceIsIpv6\"}}},{\"name\":\"winlog.event_data.startType\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.startType.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.startType\"}}},{\"name\":\"winlog.event_data.startType.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.startType\"}}},{\"name\":\"winlog.event_data.subjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectDomainName\"}}},{\"name\":\"winlog.event_data.subjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectDomainName\"}}},{\"name\":\"winlog.event_data.subjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectLogonId\"}}},{\"name\":\"winlog.event_data.subjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectLogonId\"}}},{\"name\":\"winlog.event_data.subjectUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserName\"}}},{\"name\":\"winlog.event_data.subjectUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserName\"}}},{\"name\":\"winlog.event_data.subjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.subjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserSid\"}}},{\"name\":\"winlog.event_data.subjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.subjectUserSid\"}}},{\"name\":\"winlog.event_data.targetDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetDomainName\"}}},{\"name\":\"winlog.event_data.targetDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetDomainName\"}}},{\"name\":\"winlog.event_data.targetLinkedLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetLinkedLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLinkedLogonId\"}}},{\"name\":\"winlog.event_data.targetLinkedLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLinkedLogonId\"}}},{\"name\":\"winlog.event_data.targetLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLogonId\"}}},{\"name\":\"winlog.event_data.targetLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetLogonId\"}}},{\"name\":\"winlog.event_data.targetName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetName\"}}},{\"name\":\"winlog.event_data.targetName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetName\"}}},{\"name\":\"winlog.event_data.targetObject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetObject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetObject\"}}},{\"name\":\"winlog.event_data.targetObject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetObject\"}}},{\"name\":\"winlog.event_data.targetSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetSid\"}}},{\"name\":\"winlog.event_data.targetSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetSid\"}}},{\"name\":\"winlog.event_data.targetUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserName\"}}},{\"name\":\"winlog.event_data.targetUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserName\"}}},{\"name\":\"winlog.event_data.targetUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.targetUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserSid\"}}},{\"name\":\"winlog.event_data.targetUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.targetUserSid\"}}},{\"name\":\"winlog.event_data.terminalSessionId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.terminalSessionId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.terminalSessionId\"}}},{\"name\":\"winlog.event_data.terminalSessionId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.terminalSessionId\"}}},{\"name\":\"winlog.event_data.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.type\"}}},{\"name\":\"winlog.event_data.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.type\"}}},{\"name\":\"winlog.event_data.updateGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateGuid\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateRevisionNumber.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateRevisionNumber.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateRevisionNumber\"}}},{\"name\":\"winlog.event_data.updateTitle\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.updateTitle.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_data.updateTitle.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.updateTitle\"}}},{\"name\":\"winlog.event_data.utcTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.utcTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.utcTime\"}}},{\"name\":\"winlog.event_data.utcTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.utcTime\"}}},{\"name\":\"winlog.event_data.virtualAccount\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.event_data.virtualAccount.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.virtualAccount\"}}},{\"name\":\"winlog.event_data.virtualAccount.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.event_data.virtualAccount\"}}},{\"name\":\"winlog.event_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.keywords.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.keywords.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.keywords\"}}},{\"name\":\"winlog.level\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.level.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.level\"}}},{\"name\":\"winlog.level.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.level\"}}},{\"name\":\"winlog.message\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.message.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.message\"}}},{\"name\":\"winlog.message.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.message\"}}},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.opcode.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.opcode.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.opcode\"}}},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.processID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.processID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.processID\"}}},{\"name\":\"winlog.processID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.processID\"}}},{\"name\":\"winlog.providerGuid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.providerGuid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.providerGuid\"}}},{\"name\":\"winlog.providerGuid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.providerGuid\"}}},{\"name\":\"winlog.providerName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.providerName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.providerName\"}}},{\"name\":\"winlog.providerName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.providerName\"}}},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_guid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_guid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_guid\"}}},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.provider_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.provider_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.provider_name\"}}},{\"name\":\"winlog.record_id\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.severityValue\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.severityValue.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.severityValue\"}}},{\"name\":\"winlog.severityValue.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.severityValue\"}}},{\"name\":\"winlog.systemTime\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.systemTime.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.systemTime\"}}},{\"name\":\"winlog.systemTime.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.systemTime\"}}},{\"name\":\"winlog.task\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.task.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.task.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.task\"}}},{\"name\":\"winlog.threadID\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.threadID.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.threadID\"}}},{\"name\":\"winlog.threadID.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.threadID\"}}},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.domain.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.domain.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.domain\"}}},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.identifier.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.identifier.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.identifier\"}}},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.name\"}}},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user.type\"}}},{\"name\":\"winlog.user_data.SubjectDomainName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectDomainName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectDomainName\"}}},{\"name\":\"winlog.user_data.SubjectDomainName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectDomainName\"}}},{\"name\":\"winlog.user_data.SubjectLogonId\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectLogonId.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectLogonId\"}}},{\"name\":\"winlog.user_data.SubjectLogonId.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectLogonId\"}}},{\"name\":\"winlog.user_data.SubjectUserName\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectUserName.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserName\"}}},{\"name\":\"winlog.user_data.SubjectUserName.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserName\"}}},{\"name\":\"winlog.user_data.SubjectUserSid\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.SubjectUserSid.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserSid\"}}},{\"name\":\"winlog.user_data.SubjectUserSid.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.SubjectUserSid\"}}},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"winlog.user_data.xml_name.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.user_data.xml_name.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"winlog.user_data.xml_name\"}}},{\"name\":\"winlog.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.basic_constraints.ca\",\"type\":\"boolean\",\"esTypes\":[\"boolean\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.curve\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.curve.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.curve.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.curve\"}}},{\"name\":\"x509.certificate.exponent\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.exponent.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.exponent.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.exponent\"}}},{\"name\":\"x509.certificate.issuer\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.issuer.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.issuer.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.issuer\"}}},{\"name\":\"x509.certificate.key.algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.algorithm\"}}},{\"name\":\"x509.certificate.key.length\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.certificate.key.type\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.key.type.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.key.type.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.key.type\"}}},{\"name\":\"x509.certificate.not_valid_after\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_after.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_after.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_after\"}}},{\"name\":\"x509.certificate.not_valid_before\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.not_valid_before.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.not_valid_before.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.not_valid_before\"}}},{\"name\":\"x509.certificate.serial\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.serial.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.serial.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.serial\"}}},{\"name\":\"x509.certificate.signing_algorithm\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.signing_algorithm.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.signing_algorithm.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.signing_algorithm\"}}},{\"name\":\"x509.certificate.subject\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.certificate.subject.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.subject.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.certificate.subject\"}}},{\"name\":\"x509.certificate.version\",\"type\":\"number\",\"esTypes\":[\"long\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x509.san_dns\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"x509.san_dns.keyword\",\"type\":\"string\",\"esTypes\":[\"keyword\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}},{\"name\":\"x509.san_dns.security\",\"type\":\"string\",\"esTypes\":[\"text\"],\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false,\"subType\":{\"multi\":{\"parent\":\"x509.san_dns\"}}}]", "timeFieldName": "@timestamp", "title": "*:so-*"}, "coreMigrationVersion": "7.16.2", "id": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 12], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - All Logs", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - All Logs\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":29}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 14], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Logs Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Logs Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 16], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Source IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 18], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjcwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Destination IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 20], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMTP - Sender", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMTP - Sender\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"From\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "7a789740-75e7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 22], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMTP - Recipient", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMTP - Recipient\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"To\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.to.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Recipient\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a5742950-75e7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 24], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMTP - TLS", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - SMTP - TLS\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.tls: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"smtp.tls\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"TLS\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e77a2b60-75e7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 26], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMTP - Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smtp.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0713ebf0-75e8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 28], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMTP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smtp.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"User Agent\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "4178ce00-75e8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 30], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc2LDE1XQ=="} +{"attributes": {"columns": ["source.ip", "source.port", "destination.ip", "destination.port", "log.id.uid", "network.community_id", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "Security Onion - All Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 32], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smtp\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\"},\"panelIndex\":\"a603d9db-ab4e-40b0-aeb8-0f1c1f84bd85\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\"},\"panelIndex\":\"6fd30865-1d5d-4f8f-9173-77220bb23395\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\"},\"panelIndex\":\"1b0acf7a-2a47-4eb4-9cb2-34cd6c499472\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"d31027fb-a090-474f-9863-712ef30c0b3e\"},\"panelIndex\":\"d31027fb-a090-474f-9863-712ef30c0b3e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\"},\"panelIndex\":\"fb5452b7-cb91-4415-ad6b-37f2c05955fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\"},\"panelIndex\":\"9aaa1369-1a61-4bb0-bb30-6bbb476fbb8a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\"},\"panelIndex\":\"4bf1751e-8da2-4f5a-b66d-2f09338b2053\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":18,\"h\":18,\"i\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\"},\"panelIndex\":\"9365d9e9-478f-499d-aa41-d8f42081ff1c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":27,\"w\":15,\"h\":18,\"i\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\"},\"panelIndex\":\"18ad4f7a-1a1e-4dcb-8810-bb74d247c9fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\"},\"panelIndex\":\"44a5b84f-2636-45f4-bb5e-9f8ab11f4107\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"4053cc7e-9771-46d9-8e03-e430ab096805\"},\"panelIndex\":\"4053cc7e-9771-46d9-8e03-e430ab096805\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - SMTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "00304500-75e7-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "7a789740-75e7-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "a5742950-75e7-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "e77a2b60-75e7-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "0713ebf0-75e8-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "4178ce00-75e8-11ea-9565-7315f4ee5cac", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 44], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc4LDE1XQ=="} +{"attributes": {"columns": ["note", "source_ip", "destination_ip", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_notice\",\"default_field\":\"*\"}}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Notices - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 46], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Notices - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "3027c4f0-34e4-11e7-9669-7f1d3242b798", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 48], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "title": "Navigation", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Navigation\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Home](/kibana/app/dashboards#/view/94b52620-342a-11e7-9d52-4f090484f59e) \\n[Help](/kibana/app/dashboards#/view/AV6-POJSDwoBUzALqKAg) \\n\\n**Alert Data** \\n[Bro Notices](/kibana/app/dashboards#/view/01600fb0-34e4-11e7-9669-7f1d3242b798) \\n[ElastAlert](/kibana/app/dashboards#/view/1d98d620-7dce-11e7-846a-150cdcaf3374) \\n[HIDS](/kibana/app/dashboards#/view/0de7a390-3644-11e7-a6f7-4f44d7bf1c33) \\n[NIDS](/kibana/app/dashboards#/view/7f27a830-34e5-11e7-9669-7f1d3242b798) \u00a0\u00a0\\n\\n**Bro Hunting** \\n[Connections](/kibana/app/dashboards#/view/e0a34b90-34e6-11e7-9118-45bd317f0ca4) \\n[DCE/RPC](/kibana/app/dashboards#/view/46582d50-3af2-11e7-a83b-b1b4da7d15f4) \\n[DHCP](/kibana/app/dashboards#/view/85348270-357b-11e7-ac34-8965f6420c51) \\n[DNP3](/kibana/app/dashboards#/view/2fdf5bf0-3581-11e7-98ef-19df58fe538b) \\n[DNS](/kibana/app/dashboards#/view/ebf5ec90-34bf-11e7-9b32-bb903919ead9) \\n[Files](/kibana/app/dashboards#/view/2d315d80-3582-11e7-98ef-19df58fe538b) \\n[FTP](/kibana/app/dashboards#/view/27f3b380-3583-11e7-a588-05992195c551) \\n[HTTP](/kibana/app/dashboards#/view/230134a0-34c6-11e7-8360-0b86c90983fd) \\n[Intel](/kibana/app/dashboards#/view/468022c0-3583-11e7-a588-05992195c551) \\n[IRC](/kibana/app/dashboards#/view/56a34ce0-3583-11e7-a588-05992195c551) \\n[Kerberos](/kibana/app/dashboards#/view/6b0d4870-3583-11e7-a588-05992195c551) \\n[Modbus](/kibana/app/dashboards#/view/70c005f0-3583-11e7-a588-05992195c551) \\n[MySQL](/kibana/app/dashboards#/view/7929f430-3583-11e7-a588-05992195c551) \\n[NTLM](/kibana/app/dashboards#/view/022713e0-3ab0-11e7-a83b-b1b4da7d15f4) \\n[PE](/kibana/app/dashboards#/view/8a10e380-3583-11e7-a588-05992195c551) \\n[RADIUS](/kibana/app/dashboards#/view/90b246c0-3583-11e7-a588-05992195c551) \\n[RDP](/kibana/app/dashboards#/view/97f8c3a0-3583-11e7-a588-05992195c551) \\n[RFB](/kibana/app/dashboards#/view/9ef20ae0-3583-11e7-a588-05992195c551) \\n[SIP](/kibana/app/dashboards#/view/ad3c0830-3583-11e7-a588-05992195c551) \\n[SMB](/kibana/app/dashboards#/view/b3a53710-3aaa-11e7-8b17-0d8709b02c80) \\n[SMTP](/kibana/app/dashboards#/view/b10a9c60-3583-11e7-a588-05992195c551) \\n[SNMP](/kibana/app/dashboards#/view/b65c2710-3583-11e7-a588-05992195c551) \\n[Software](/kibana/app/dashboards#/view/c2c99c30-3583-11e7-a588-05992195c551) \\n[SSH](/kibana/app/dashboards#/view/c6ccfc00-3583-11e7-a588-05992195c551) \\n[SSL](/kibana/app/dashboards#/view/cca67b60-3583-11e7-a588-05992195c551) \\n[Syslog](/kibana/app/dashboards#/view/c4bbe040-76b3-11e7-ba96-cba76a1e264d) \\n[Tunnels](/kibana/app/dashboards#/view/d7b54ae0-3583-11e7-a588-05992195c551) \\n[Weird](/kibana/app/dashboards#/view/de2da250-3583-11e7-a588-05992195c551) \\n[X.509](/kibana/app/dashboards#/view/e5aa7170-3583-11e7-a588-05992195c551) \\n\\n**Host Hunting** \\n[Autoruns](/kibana/app/dashboards#/view/61d43810-6d62-11e7-8ddb-e71eb260f4a3) \\n[Beats](/kibana/app/dashboards#/view/AWBLNS3CRuBloj96jxub) \\n[Osquery](/kibana/app/dashboards#/view/9d0e2da0-14e1-11e9-82f7-0da02d93a48b) \\n[OSSEC](/kibana/app/dashboards#/view/3a457d70-3583-11e7-a588-05992195c551)\u00a0 \\n[Sysmon](/kibana/app/dashboards#/view/6d189680-6d62-11e7-8ddb-e71eb260f4a3) \\n\\n**Other** \\n[Domain Stats](/kibana/app/dashboards#/view/AWAi6wvxAvKNGEbUWO_j) \\n[Firewall](/kibana/app/dashboards#/view/50173bd0-3582-11e7-98ef-19df58fe538b) \\n[Frequency](/kibana/app/dashboards#/view/AWAi5k4jAvKNGEbUWFis) \\n[Stats](/kibana/app/dashboards#/view/130017f0-46ce-11e7-946f-1bfb1be7c36b) \\n[Syslog](/kibana/app/dashboards#/view/4323af90-76e5-11e7-ab14-e1a4c1bc11e0)\",\"type\":\"markdown\",\"fontSize\":10,\"openLinksInNewTab\":false},\"aggs\":[]}"}, "coreMigrationVersion": "7.16.2", "id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 49], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - Source IP Addresses", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - Source IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "66e26ad0-3580-11e7-98ef-19df58fe538b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 51], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - Destination IP Addresses", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - Destination IP Addresses\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7c47b650-3580-11e7-98ef-19df58fe538b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 53], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - Notice Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - Notice Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "07fdf9e0-39ad-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 55], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - File MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - File MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_mime_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "53c62730-39ad-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 57], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - File Description", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - File Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Description\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "793c2640-39ad-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 59], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Notice - Destination Port (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Notice - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e85e2150-6e0e-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 61], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Notice - Message/Sub-Message", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Notice - Message/Sub-Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sub_msg.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sub-Message\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bfeb6210-7bb9-11e7-90ec-cdd3dff73b38", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 63], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Notices - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Notices - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG1uC-xQT5EBNmq3dP", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 65], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Bro - Notices - Notice Types", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Notices - Notice Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"note.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Note\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2a949080-4a3d-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 67], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjkwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Notices - Destination Country", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Notices - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1a879c90-4ca5-11e8-888d-71b91451cf05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 69], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjkxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":136,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":32,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":96,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":160,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - Bro - Notices", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "01600fb0-34e4-11e7-9669-7f1d3242b798", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "3027c4f0-34e4-11e7-9669-7f1d3242b798", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "66e26ad0-3580-11e7-98ef-19df58fe538b", "name": "panel_2", "type": "visualization"}, {"id": "7c47b650-3580-11e7-98ef-19df58fe538b", "name": "panel_3", "type": "visualization"}, {"id": "07fdf9e0-39ad-11e7-8472-0151e5b2b475", "name": "panel_4", "type": "visualization"}, {"id": "53c62730-39ad-11e7-8472-0151e5b2b475", "name": "panel_5", "type": "visualization"}, {"id": "793c2640-39ad-11e7-8472-0151e5b2b475", "name": "panel_6", "type": "visualization"}, {"id": "e85e2150-6e0e-11e7-8624-1fb07dd76c6a", "name": "panel_7", "type": "visualization"}, {"id": "bfeb6210-7bb9-11e7-90ec-cdd3dff73b38", "name": "panel_8", "type": "visualization"}, {"id": "AWDG1uC-xQT5EBNmq3dP", "name": "panel_9", "type": "visualization"}, {"id": "0a3bfbe0-342f-11e7-9e93-53b62e1857b2", "name": "panel_10", "type": "search"}, {"id": "2a949080-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_11", "type": "visualization"}, {"id": "1a879c90-4ca5-11e8-888d-71b91451cf05", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 83], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjkyLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ntlm\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "NTLM - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 85], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"NTLM - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 87], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Hostname", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 89], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Username", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"NTLM - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 91], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d37b9330-3af1-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 93], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f3a92f50-3af1-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 95], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d7f162b0-6e1c-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 97], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNjk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"NTLM - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHCEx7xQT5EBNmq4Vf", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 99], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzAwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NTLM - Hostname to Username", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Hostname to Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "75ab1050-4a59-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 101], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Server NetBIOS Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Server NetBIOS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_nb_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server NetBIOS Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c23ea470-0edc-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 103], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Server DNS Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Server DNS Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_dns_computer_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server DNS Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ee6a03f0-0edc-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 105], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzAzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NTLM - Server Tree Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NTLM - Server Tree Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_tree_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Tree Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2a054320-0edd-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 107], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":53,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":77,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":53,\"w\":16,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":53,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":53,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":32,\"w\":13,\"h\":21,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":13,\"h\":21,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":21,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - Bro - NTLM", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "022713e0-3ab0-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "36f23eb0-3ab0-11e7-a83b-b1b4da7d15f4", "name": "panel_1", "type": "visualization"}, {"id": "c21f4fa0-3aab-11e7-8b17-0d8709b02c80", "name": "panel_2", "type": "search"}, {"id": "e2c8e040-3ab0-11e7-a83b-b1b4da7d15f4", "name": "panel_3", "type": "visualization"}, {"id": "4d869ee0-3ab1-11e7-a83b-b1b4da7d15f4", "name": "panel_4", "type": "visualization"}, {"id": "d37b9330-3af1-11e7-a83b-b1b4da7d15f4", "name": "panel_5", "type": "visualization"}, {"id": "f3a92f50-3af1-11e7-a83b-b1b4da7d15f4", "name": "panel_6", "type": "visualization"}, {"id": "d7f162b0-6e1c-11e7-b553-7f80727663c1", "name": "panel_7", "type": "visualization"}, {"id": "AWDHCEx7xQT5EBNmq4Vf", "name": "panel_8", "type": "visualization"}, {"id": "75ab1050-4a59-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}, {"id": "c23ea470-0edc-11e9-9846-59f545e7293f", "name": "panel_10", "type": "visualization"}, {"id": "ee6a03f0-0edc-11e9-9846-59f545e7293f", "name": "panel_11", "type": "visualization"}, {"id": "2a054320-0edd-11e9-9846-59f545e7293f", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 121], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA1LDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:network\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - Network Data", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 123], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network - Source IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Network - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0242ab70-6eae-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 125], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "title": "Security Onion - Files", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Files\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Strelka](/kibana/app/dashboards#/view/ff689c50-75f3-11ea-9565-7315f4ee5cac) \\n[Zeek](/kibana/app/dashboards#/view/ad4d5d60-75f4-11ea-9565-7315f4ee5cac)\"},\"aggs\":[]}"}, "coreMigrationVersion": "7.16.2", "id": "9a5058f0-6e99-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 126], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Log Count Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-29T18:17:18.800Z\",\"max\":\"2020-03-30T18:17:18.800Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 128], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.module:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Modules", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Modules\"}"}, "coreMigrationVersion": "7.16.2", "id": "8b065a80-6eca-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 130], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Dataset", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Dataset\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 132], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzExLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - File - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - File - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "bcf25e30-75f1-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 134], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzEyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FIle - Total Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - FIle - Total Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.bytes.total: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.bytes.total\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Total Bytes\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "efc25540-75f1-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 136], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - File - MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - File - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mime_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.mime_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e8d35c50-75f3-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 138], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE0LDE1XQ=="} +{"attributes": {"columns": ["event.module", "source.ip", "destination.ip", "file.mime_type", "log.id.fuid", "hash.sha1", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "Security Onion - File Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b0dc2460-0e4d-11eb-a255-e1e8e85e3571", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 140], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:file*\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\"},\"panelIndex\":\"6948ea4a-398f-4ab1-a269-e1e6ecd29e12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":15,\"h\":7,\"i\":\"d09eef70-f2b5-4085-b619-11cae812be58\"},\"panelIndex\":\"d09eef70-f2b5-4085-b619-11cae812be58\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":22,\"y\":0,\"w\":26,\"h\":7,\"i\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\"},\"panelIndex\":\"0dd18bd2-6631-4772-b3d0-4a92ff713e3a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":20,\"i\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\"},\"panelIndex\":\"86d343d4-c030-46a3-9f3e-083ccbf28b04\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":7,\"w\":8,\"h\":20,\"i\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\"},\"panelIndex\":\"2fb5d1e8-4ac6-42c4-852e-9046c2970086\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":16,\"y\":7,\"w\":10,\"h\":20,\"i\":\"7875de58-924b-4b27-bd51-159b5657659f\"},\"panelIndex\":\"7875de58-924b-4b27-bd51-159b5657659f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":26,\"y\":7,\"w\":10,\"h\":20,\"i\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\"},\"panelIndex\":\"f1f8a5c7-9e9f-460d-a2b8-eaca8d834c6b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":36,\"y\":7,\"w\":12,\"h\":20,\"i\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\"},\"panelIndex\":\"06055634-ec80-478d-93d5-67e1cc46e1ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"cfa99d8f-e7d6-46d5-9e7f-5dc5c3371275\"},\"panelIndex\":\"cfa99d8f-e7d6-46d5-9e7f-5dc5c3371275\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - Files", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0245be10-6ec1-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "9a5058f0-6e99-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "8b065a80-6eca-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_4", "type": "visualization"}, {"id": "bcf25e30-75f1-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "efc25540-75f1-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "e8d35c50-75f3-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "b0dc2460-0e4d-11eb-a255-e1e8e85e3571", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 150], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE2LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SSL - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 152], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SSL - Version (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SSL - Version (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "02699580-365a-11e7-bf60-314364dd1cde", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 154], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE4LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_sip\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SIP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9e131480-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 156], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzE5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SIP - Status", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_code\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Code\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_msg.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Message\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0291dba0-4c78-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 158], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzIwLDE1XQ=="} +{"attributes": {"fieldAttrs": "{\"event.action\":{\"count\":8},\"host.user.name\":{\"count\":2},\"endgame.event_type_full\":{\"count\":5},\"host.name\":{\"count\":7},\"host.os.name\":{\"count\":3},\"host.os.name.text\":{\"count\":1},\"endgame.event_subtype_full\":{\"count\":3},\"event.category\":{\"count\":5},\"process.name\":{\"count\":6},\"process.parent.name\":{\"count\":1},\"agent.id\":{\"count\":2},\"process.executable\":{\"count\":3},\"type\":{\"count\":3},\"host.name.keyword\":{\"count\":2},\"event.sequence\":{\"count\":3},\"host.os.family\":{\"count\":1},\"host.os.platform\":{\"count\":1},\"event.type\":{\"count\":8},\"metadata.action\":{\"count\":2},\"user.name\":{\"count\":1},\"@version\":{\"count\":2},\"@timestamp\":{\"count\":1},\"registry.path\":{\"count\":1},\"related.user\":{\"count\":1},\"event.kind\":{\"count\":1},\"event.severity\":{\"count\":1},\"file.name\":{\"count\":4},\"host.domain\":{\"count\":1},\"process.command_line\":{\"count\":1},\"_id\":{\"count\":1},\"client.bytes\":{\"count\":2},\"destination.bytes\":{\"count\":2},\"network.bytes\":{\"count\":2},\"server.bytes\":{\"count\":2},\"source.bytes\":{\"count\":2},\"client.ip\":{\"count\":1},\"destination.ip\":{\"count\":1},\"source.ip\":{\"count\":1},\"file.attributes\":{\"count\":6},\"file.directory\":{\"count\":3},\"file.extension\":{\"count\":2},\"file.gid\":{\"count\":2},\"file.group\":{\"count\":2},\"host.hostname\":{\"count\":1},\"host.ip\":{\"count\":1},\"related.ip\":{\"count\":2},\"user.domain\":{\"count\":2}}", "fieldFormatMap": "{\"process.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:process.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(process.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"user.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:user.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(user.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"file.type\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:file.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(file.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"event.module\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:event.module,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"network.transport\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:network.transport,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(network.transport:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"source.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:source.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(source.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.name\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:host.name,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(host.name:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"registry.key\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:registry.key,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(registry.key:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"host.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:host.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(host.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"destination.ip\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"https://PLACEHOLDER/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'endgame-*',key:destination.ip,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(destination.ip:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now-24h,to:now))\",\"labelTemplate\":\"{{ value }}\"}},\"event.category.dashboard\":{\"id\":\"url\",\"params\":{\"urlTemplate\":\"{{ rawValue }}\",\"labelTemplate\":\"{{ value }}\"}}}", "fields": "[]", "runtimeFieldMap": "{\"event.category.dashboard\":{\"type\":\"keyword\",\"script\":{\"source\":\"def source = doc['event.category'].value;\\nMap urls = new HashMap();\\nurls.put(\\\"authentication\\\", \\\"dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"file\\\", \\\"dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"network\\\", \\\"dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36\\\");\\nurls.put(\\\"process\\\", \\\"dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"registry\\\", \\\"dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635\\\");\\nurls.put(\\\"driver\\\", \\\"dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635\\\");\\nif (source != null) {\\n\\tdef url = urls.get(source);\\n\\tif (url != null) {\\n\\t\\temit(url);\\n return;\\n\\t}\\n}\\nemit(\\\"None\\\");\"}}}", "timeFieldName": "@timestamp", "title": "endgame-*", "typeMeta": "{}"}, "coreMigrationVersion": "7.16.2", "id": "endgame-*", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 159], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzIxLDE1XQ=="} +{"attributes": {"columns": ["host.name", "registry.path", "related.user"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - Registry Events", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0359b740-64cc-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 161], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzIyLDE1XQ=="} +{"attributes": {"color": "#D36086", "description": "", "name": "Endgame"}, "coreMigrationVersion": "7.16.2", "id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "references": [], "sort": [1643385898421, 162], "type": "tag", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzIzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"1828f449-a2e9-4ed2-a72c-e6f22382569e": {"columnOrder": ["e5498d4d-b9af-4016-8afc-e4639ceb6c10", "e5acabfb-508c-4778-adfb-e41ca3adbc23", "cf39428c-7790-4793-8906-cb5f02fd2f0f", "f42194c4-5434-42cb-ad39-e2756562f3ed", "25c7f5d8-ce06-4da5-b769-820ba42e328e", "d043970e-d696-48bc-905d-8f1f45019e3d"], "columns": {"25c7f5d8-ce06-4da5-b769-820ba42e328e": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.os.family", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.os.family"}, "cf39428c-7790-4793-8906-cb5f02fd2f0f": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "host.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.ip"}, "d043970e-d696-48bc-905d-8f1f45019e3d": {"customLabel": true, "dataType": "string", "isBucketed": false, "label": "host.os.version", "operationType": "last_value", "params": {"sortField": "@timestamp"}, "scale": "ordinal", "sourceField": "host.os.version"}, "e5498d4d-b9af-4016-8afc-e4639ceb6c10": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "host.name"}, "e5acabfb-508c-4778-adfb-e41ca3adbc23": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.id", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.id"}, "f42194c4-5434-42cb-ad39-e2756562f3ed": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.os.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.os.name"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "e5498d4d-b9af-4016-8afc-e4639ceb6c10", "isTransposed": false, "width": 460.98333333333335}, {"columnId": "cf39428c-7790-4793-8906-cb5f02fd2f0f", "isTransposed": false, "width": 254.98333333333332}, {"columnId": "d043970e-d696-48bc-905d-8f1f45019e3d", "isTransposed": false, "width": 175.98333333333335}, {"columnId": "f42194c4-5434-42cb-ad39-e2756562f3ed", "isTransposed": false, "width": 200.98333333333335}, {"columnId": "e5acabfb-508c-4778-adfb-e41ca3adbc23", "isTransposed": false, "width": 515.8333333333334}, {"columnId": "25c7f5d8-ce06-4da5-b769-820ba42e328e", "isTransposed": false, "width": 201.23333333333332}], "layerId": "1828f449-a2e9-4ed2-a72c-e6f22382569e", "layerType": "data"}}, "title": "Endgame - Host Information Table", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "03935e10-6a20-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 166], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9643f560-7a46-408c-b61d-ed2a87fc6103": {"columnOrder": ["305b2f21-9981-40d5-a79b-f7a78eea89b4", "3520723b-f0f3-4845-975c-e97380d8124b"], "columns": {"305b2f21-9981-40d5-a79b-f7a78eea89b4": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3520723b-f0f3-4845-975c-e97380d8124b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "process.name"}, "3520723b-f0f3-4845-975c-e97380d8124b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["305b2f21-9981-40d5-a79b-f7a78eea89b4"], "layerId": "9643f560-7a46-408c-b61d-ed2a87fc6103", "layerType": "data", "legendDisplay": "default", "metric": "3520723b-f0f3-4845-975c-e97380d8124b", "nestedLegend": false, "numberDisplay": "percent"}], "palette": {"name": "kibana_palette", "type": "palette"}, "shape": "treemap"}}, "title": "Endgame - Alert Process", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "0406add0-6e48-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 170], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI1LDE1XQ=="} +{"attributes": {"columns": ["osquery.columns.permissions", "osquery.columns.name"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome* AND osquery.columns.permissions:('all_urls','privacy')\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "osquery - Chrome Extensions - Sensitive Permissions", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "040dda10-18d8-11e9-932c-d12d2cf4ee95", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 172], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "04e1aea0-3750-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 174], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI3LDE1XQ=="} +{"attributes": {"columns": ["osquery.hostname", "osquery.columns.username", "osquery.LiveQuery", "osquery.columns.name"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery AND osquery.name:*chrome*\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "osquery - Chrome Extensions", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0eee4360-18d4-11e9-932c-d12d2cf4ee95", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 176], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Chrome Extensions - Changes by Hostname", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"osquery - Chrome Extensions - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "04f86530-1a59-11e9-ac0b-cb0ba10141ab", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0eee4360-18d4-11e9-932c-d12d2cf4ee95", "name": "search_0", "type": "search"}], "sort": [1643385898421, 178], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"network.protocol:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Top Network Protocols", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Top Network Protocols\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d9eb5b30-6ea9-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 180], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzMwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network - Transport", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Network - Transport\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"network.transport.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "79cc9670-6ead-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 182], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzMxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.category: network\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"w\":13,\"x\":0,\"y\":0},\"panelIndex\":\"b18f064d-2fba-45d8-a3c3-700ecec939a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"w\":14,\"x\":13,\"y\":0},\"panelIndex\":\"3bf59d17-132e-47bc-b548-e1e073491ec5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":9,\"i\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"w\":21,\"x\":27,\"y\":0},\"panelIndex\":\"49c9ae10-3f16-4cec-b044-c5cf2db199ae\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"w\":13,\"x\":0,\"y\":9},\"panelIndex\":\"87427ca5-e0b9-4ec8-bb5f-3452803befe1\",\"embeddableConfig\":{\"legendOpen\":false,\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"w\":11,\"x\":13,\"y\":9},\"panelIndex\":\"3d3199e1-d839-4738-bc99-e030365b7070\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"w\":12,\"x\":24,\"y\":9},\"panelIndex\":\"a7745b0f-1c69-4837-9f7e-3d79b5a2ac60\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":19,\"i\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"w\":12,\"x\":36,\"y\":9},\"panelIndex\":\"221a543a-98d4-46dd-8e7c-bf97bb292021\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"h\":29,\"i\":\"55902091-6959-4127-a969-4015fbf124d3\",\"w\":48,\"x\":0,\"y\":28},\"panelIndex\":\"55902091-6959-4127-a969-4015fbf124d3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Network", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "04ff3ef0-6ea4-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "d9eb5b30-6ea9-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "79cc9670-6ead-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_4", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 191], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzMyLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"size\":10,\"query\":{\"query_string\":{\"query\":\"event_type:bro_conn\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Connections - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 193], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Missed Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Missed Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"missed_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Missed Bytes\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "05088150-3670-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 195], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMB - Path", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMB - Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.path.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.path.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Path\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "052df440-75f0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 197], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Rule - GID/SID", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Rule - GID/SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":3,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"GID\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"SID\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.rev: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.gid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"GID\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.signature_id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SID\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.rev\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Revision\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "053f7130-7734-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 199], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source - Originator Bytes ( Tile Map)", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", "version": 1, "visState": "{\"title\":\"Connections - Source - Originator Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"original_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "05809df0-46cb-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 201], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM3LDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event_type: osquery\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "osquery - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "84116380-14e1-11e9-82f7-0da02d93a48b", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 203], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Changes by Hostname", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"osquery - Changes by Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.hostname.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "05a5ed10-14e4-11e9-82f7-0da02d93a48b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "84116380-14e1-11e9-82f7-0da02d93a48b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 205], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzM5LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "destination_port", "uid", "fuid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ftp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "FTP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 207], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"FTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "06f21d60-35b6-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 209], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNS - Query", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DNS - Query\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.query.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.query.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "07065340-72ba-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 211], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"b40ff395-6c20-4678-8aab-a74568f9a5cf": {"columnOrder": ["7588aa5a-05de-44d8-952a-7e7f7f6e5519", "0a2006cd-c185-4cf3-b9dc-7b395ca048cf", "1fed253e-8c24-4b33-94e4-1114efd871b4", "fa5b5762-e154-4170-8e31-110029d67cd0"], "columns": {"0a2006cd-c185-4cf3-b9dc-7b395ca048cf": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "fa5b5762-e154-4170-8e31-110029d67cd0", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "user.name"}, "1fed253e-8c24-4b33-94e4-1114efd871b4": {"customLabel": true, "dataType": "string", "isBucketed": false, "label": "event.outcome", "operationType": "last_value", "params": {"sortField": "@timestamp"}, "scale": "ordinal", "sourceField": "event.outcome"}, "7588aa5a-05de-44d8-952a-7e7f7f6e5519": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "host.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "fa5b5762-e154-4170-8e31-110029d67cd0", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.ip"}, "fa5b5762-e154-4170-8e31-110029d67cd0": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "1fed253e-8c24-4b33-94e4-1114efd871b4"}, {"columnId": "7588aa5a-05de-44d8-952a-7e7f7f6e5519", "isTransposed": false}, {"columnId": "fa5b5762-e154-4170-8e31-110029d67cd0", "isTransposed": false}, {"columnId": "0a2006cd-c185-4cf3-b9dc-7b395ca048cf", "isTransposed": false}], "layerId": "b40ff395-6c20-4678-8aab-a74568f9a5cf", "layerType": "data"}}, "title": "Endgame - Auth Event Outcome", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "072ae530-6d6c-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-b40ff395-6c20-4678-8aab-a74568f9a5cf", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 216], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - PE - Section", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.section_names.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Section\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Section\"}"}, "coreMigrationVersion": "7.16.2", "id": "07419650-c763-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 218], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "destination_port", "uid", "fuid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_intel\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Intel - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 220], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Intel - Indicator Type (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Intel - Indicator Type (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{\"text\":\"Indicator Type\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"indicator_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "07622d60-6e16-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 222], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ2LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_mysql\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "MySQL - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "5d624230-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 224], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "MySQL - Command/Argument", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_command.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql_argument.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "07e25650-3812-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 226], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - HTTP - Method", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "088aad70-7377-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 228], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Hash - SHA256", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Hash - SHA256\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.hash.sha256.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.sha256.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "08c0b770-772e-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 230], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzUwLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"a4e4fe43-0662-4a4f-a5b1-57b8f6475336": {"columnOrder": ["198124aa-9a71-41ea-bcc5-1938e8373b85", "80ce6212-7318-4c10-90ad-bb58171524d0", "556f58d4-2449-46ab-ba8c-db6846dcb74a", "fa795a61-1d89-491e-87de-ba6469644719"], "columns": {"198124aa-9a71-41ea-bcc5-1938e8373b85": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "server.address", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "fa795a61-1d89-491e-87de-ba6469644719", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "server.address"}, "556f58d4-2449-46ab-ba8c-db6846dcb74a": {"dataType": "number", "isBucketed": true, "label": "server.port", "operationType": "range", "params": {"maxBars": "auto", "ranges": [{"from": 0, "label": "", "to": 1000}], "type": "histogram"}, "scale": "interval", "sourceField": "server.port"}, "80ce6212-7318-4c10-90ad-bb58171524d0": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "network.transport", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "fa795a61-1d89-491e-87de-ba6469644719", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "network.transport"}, "fa795a61-1d89-491e-87de-ba6469644719": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "198124aa-9a71-41ea-bcc5-1938e8373b85", "isTransposed": false}, {"columnId": "80ce6212-7318-4c10-90ad-bb58171524d0", "isTransposed": false}, {"columnId": "fa795a61-1d89-491e-87de-ba6469644719", "isTransposed": false}, {"columnId": "556f58d4-2449-46ab-ba8c-db6846dcb74a", "isTransposed": false}], "layerId": "a4e4fe43-0662-4a4f-a5b1-57b8f6475336", "layerType": "data"}}, "title": "Endgame - Network Transport", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "09227f50-6e44-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-a4e4fe43-0662-4a4f-a5b1-57b8f6475336", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 235], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzUxLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssh\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SSH - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 237], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SSH - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "09457310-3641-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 239], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Hash - MD5", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Hash - MD5\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.md5.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MD5\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "09fc6ef0-7732-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 241], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "syslog-host_from", "syslog-priority"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Syslog (All) - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 243], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Syslog - Host From", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Syslog - Host From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Host (From)\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "search_0", "type": "search"}], "sort": [1643385898421, 245], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU2LDE1XQ=="} +{"attributes": {"columns": ["host", "certificate_subject", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "X.509 - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 247], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Certificate Issuer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_issuer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0a5f7b30-37d9-11e7-9efb-91e89505091f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 249], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU4LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rdp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RDP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "823dd600-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 251], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RDP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0b9dea80-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 253], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzYwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RDP - Certificate Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RDP - Certificate Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.certificate_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.certificate_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0c006bb0-75c6-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 255], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzYxLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "DNS - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 257], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Query Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Query Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query_type_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0c338e50-4a4e-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 259], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "title": "Endgame - Navigation", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Navigation\",\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":true,\"markdown\":\"**Kibana** \\n[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n[Alerts](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) |\\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame Console** \\n [Dashboard](https://ENDGAMEHOST/dashboard) | [Alerts](https://ENDGAMEHOST/alerts/dashboard)\"}}"}, "coreMigrationVersion": "7.16.2", "id": "754f7380-6d82-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}, {"id": "0b963f20-6f9c-11ec-864c-8b5450f97635", "name": "tag-0b963f20-6f9c-11ec-864c-8b5450f97635", "type": "tag"}], "sort": [1643385898421, 262], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"842f61f9-afc4-44dc-a6bd-e3cc66a8827b": {"columnOrder": ["2834ba67-2809-442b-b80b-4b17d3a67d43"], "columns": {"2834ba67-2809-442b-b80b-4b17d3a67d43": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": " Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"accessor": "2834ba67-2809-442b-b80b-4b17d3a67d43", "layerId": "842f61f9-afc4-44dc-a6bd-e3cc66a8827b", "layerType": "data"}}, "title": "Endgame - Alerts All Logs", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "914d4890-6e46-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 266], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"0600494b-6f03-450b-8dab-981005aedf32": {"columnOrder": ["0f00561d-d6d7-46b2-af59-4ea225a9893a", "34e0e2cc-aab4-4581-9bc4-aba527024007"], "columns": {"0f00561d-d6d7-46b2-af59-4ea225a9893a": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "34e0e2cc-aab4-4581-9bc4-aba527024007": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "params": {"format": {"id": "number", "params": {"decimals": 0}}}, "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": false, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["34e0e2cc-aab4-4581-9bc4-aba527024007"], "layerId": "0600494b-6f03-450b-8dab-981005aedf32", "layerType": "data", "position": "top", "seriesType": "bar", "showGridlines": false, "xAccessor": "0f00561d-d6d7-46b2-af59-4ea225a9893a"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Alert Logs Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "d94cae10-6e46-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 270], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3b6026b4-9c36-4fbc-9f90-bd5580303bea": {"columnOrder": ["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721", "ff0a89b4-427d-4739-bb83-86794a1f4289"], "columns": {"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "user.name"}, "ff0a89b4-427d-4739-bb83-86794a1f4289": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"columns": [{"columnId": "d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"}, {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289"}], "layerId": "3b6026b4-9c36-4fbc-9f90-bd5580303bea", "layerType": "data"}}, "title": "Endgame - Alert User Name", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "f376b820-6e47-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 274], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY3LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3dff58f4-dda3-4f2d-9e31-d8552e12eb13": {"columnOrder": ["8e1fb558-637d-42a8-9127-002e698bde8a", "8546cccc-256d-4ef9-8de6-2825a3a5a649", "f6f670d2-0af3-4432-97d4-8ac112cb7102"], "columns": {"8546cccc-256d-4ef9-8de6-2825a3a5a649": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "command_line", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "f6f670d2-0af3-4432-97d4-8ac112cb7102", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "process.command_line"}, "8e1fb558-637d-42a8-9127-002e698bde8a": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.domain", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "f6f670d2-0af3-4432-97d4-8ac112cb7102", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.domain"}, "f6f670d2-0af3-4432-97d4-8ac112cb7102": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"columns": [{"columnId": "8546cccc-256d-4ef9-8de6-2825a3a5a649", "isTransposed": false, "width": 432.33333333333337}, {"columnId": "8e1fb558-637d-42a8-9127-002e698bde8a", "isTransposed": false, "width": 197.83333333333331}, {"columnId": "f6f670d2-0af3-4432-97d4-8ac112cb7102", "isTransposed": false}], "layerId": "3dff58f4-dda3-4f2d-9e31-d8552e12eb13", "layerType": "data"}}, "title": "Endgame - Alerts Host Domain", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "1fd82420-6e3a-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3dff58f4-dda3-4f2d-9e31-d8552e12eb13", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 278], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"46832f84-f86b-4914-a3ac-aaeda9f09cf7": {"columnOrder": ["77069155-4e9a-4727-b888-648fed60258e", "e7878efe-2181-449d-afd3-771296665829", "738c056c-c4eb-4855-a690-90fa5b9e23f8", "02c8c47e-9b96-4384-b467-1fd9cff2b78b", "d61f74aa-1899-4881-a2cc-d0dc7cbf28df", "6de07e81-5ee7-4885-af47-26b401667757", "895abdf3-8c99-4473-a904-b379d478aae1", "e30b3573-c58d-4b82-853d-70c1d090d641"], "columns": {"02c8c47e-9b96-4384-b467-1fd9cff2b78b": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.command_line", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.command_line"}, "6de07e81-5ee7-4885-af47-26b401667757": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "file.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "file.name"}, "738c056c-c4eb-4855-a690-90fa5b9e23f8": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Category", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "event.category"}, "77069155-4e9a-4727-b888-648fed60258e": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.id ", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "event.id"}, "895abdf3-8c99-4473-a904-b379d478aae1": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.domain", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.domain"}, "d61f74aa-1899-4881-a2cc-d0dc7cbf28df": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.name"}, "e30b3573-c58d-4b82-853d-70c1d090d641": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "e7878efe-2181-449d-afd3-771296665829": {"customLabel": true, "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "range", "params": {"maxBars": "auto", "ranges": [{"from": 0, "label": "", "to": 1000}], "type": "histogram"}, "scale": "interval", "sourceField": "event.severity"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"columns": [{"columnId": "77069155-4e9a-4727-b888-648fed60258e", "isTransposed": false}, {"alignment": "center", "columnId": "e7878efe-2181-449d-afd3-771296665829", "isTransposed": false}, {"columnId": "738c056c-c4eb-4855-a690-90fa5b9e23f8", "isTransposed": false}, {"columnId": "02c8c47e-9b96-4384-b467-1fd9cff2b78b", "isTransposed": false}, {"columnId": "d61f74aa-1899-4881-a2cc-d0dc7cbf28df", "isTransposed": false}, {"columnId": "6de07e81-5ee7-4885-af47-26b401667757", "isTransposed": false}, {"columnId": "895abdf3-8c99-4473-a904-b379d478aae1", "isTransposed": false}, {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "hidden": true, "isTransposed": false}], "layerId": "46832f84-f86b-4914-a3ac-aaeda9f09cf7", "layerType": "data"}}, "title": "Endgame - Alerts Events", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "ca0f3e20-6e48-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 282], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzY5LDE1XQ=="} +{"attributes": {"columns": [], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.kind\",\"params\":{\"query\":\"alert\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.kind\":\"alert\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - Alert Search", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3ab5c280-6f06-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 285], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzcwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":11,\"i\":\"3aa898cc-eaa4-47ea-962f-fd5be8255144\"},\"panelIndex\":\"3aa898cc-eaa4-47ea-962f-fd5be8255144\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_3aa898cc-eaa4-47ea-962f-fd5be8255144\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":9,\"h\":11,\"i\":\"1ab268d3-b117-4d65-b568-d53af35bebb4\"},\"panelIndex\":\"1ab268d3-b117-4d65-b568-d53af35bebb4\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\",\"type\":\"lens\",\"id\":\"914d4890-6e46-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b\"}],\"state\":{\"visualization\":{\"layerId\":\"842f61f9-afc4-44dc-a6bd-e3cc66a8827b\",\"accessor\":\"2834ba67-2809-442b-b80b-4b17d3a67d43\",\"layerType\":\"data\"},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"842f61f9-afc4-44dc-a6bd-e3cc66a8827b\":{\"columns\":{\"2834ba67-2809-442b-b80b-4b17d3a67d43\":{\"label\":\" \",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"2834ba67-2809-442b-b80b-4b17d3a67d43\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_1ab268d3-b117-4d65-b568-d53af35bebb4\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":11,\"i\":\"41131702-4832-4ca2-a24c-2418181fa4bb\"},\"panelIndex\":\"41131702-4832-4ca2-a24c-2418181fa4bb\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"name\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\",\"type\":\"lens\",\"id\":\"d94cae10-6e46-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":false,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar\",\"layers\":[{\"layerId\":\"0600494b-6f03-450b-8dab-981005aedf32\",\"accessors\":[\"34e0e2cc-aab4-4581-9bc4-aba527024007\"],\"position\":\"top\",\"seriesType\":\"bar\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"0f00561d-d6d7-46b2-af59-4ea225a9893a\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"0600494b-6f03-450b-8dab-981005aedf32\":{\"columns\":{\"0f00561d-d6d7-46b2-af59-4ea225a9893a\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"34e0e2cc-aab4-4581-9bc4-aba527024007\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"params\":{\"format\":{\"id\":\"number\",\"params\":{\"decimals\":0}}},\"customLabel\":true}},\"columnOrder\":[\"0f00561d-d6d7-46b2-af59-4ea225a9893a\",\"34e0e2cc-aab4-4581-9bc4-aba527024007\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Log Count Over Time\",\"panelRefName\":\"panel_41131702-4832-4ca2-a24c-2418181fa4bb\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":8,\"h\":15,\"i\":\"126f7572-997b-441a-a124-a342a75325d5\"},\"panelIndex\":\"126f7572-997b-441a-a124-a342a75325d5\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"name\":\"panel_126f7572-997b-441a-a124-a342a75325d5\",\"type\":\"lens\",\"id\":\"f376b820-6e47-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea\"}],\"state\":{\"visualization\":{\"layerId\":\"3b6026b4-9c36-4fbc-9f90-bd5580303bea\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\"},{\"columnId\":\"ff0a89b4-427d-4739-bb83-86794a1f4289\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3b6026b4-9c36-4fbc-9f90-bd5580303bea\":{\"columns\":{\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\":{\"label\":\"user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"ff0a89b4-427d-4739-bb83-86794a1f4289\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"ff0a89b4-427d-4739-bb83-86794a1f4289\":{\"label\":\"Count\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721\",\"ff0a89b4-427d-4739-bb83-86794a1f4289\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Users\",\"panelRefName\":\"panel_126f7572-997b-441a-a124-a342a75325d5\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":11,\"w\":16,\"h\":15,\"i\":\"146912f3-f4f8-4cc3-9226-6f516dd3c3da\"},\"panelIndex\":\"146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\",\"type\":\"lens\",\"id\":\"0406add0-6e48-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103\"}],\"state\":{\"visualization\":{\"shape\":\"treemap\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"layers\":[{\"layerId\":\"9643f560-7a46-408c-b61d-ed2a87fc6103\",\"groups\":[\"305b2f21-9981-40d5-a79b-f7a78eea89b4\"],\"metric\":\"3520723b-f0f3-4845-975c-e97380d8124b\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"9643f560-7a46-408c-b61d-ed2a87fc6103\":{\"columns\":{\"305b2f21-9981-40d5-a79b-f7a78eea89b4\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":20,\"orderBy\":{\"type\":\"column\",\"columnId\":\"3520723b-f0f3-4845-975c-e97380d8124b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"3520723b-f0f3-4845-975c-e97380d8124b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"305b2f21-9981-40d5-a79b-f7a78eea89b4\",\"3520723b-f0f3-4845-975c-e97380d8124b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[]}},\"type\":\"lens\"},\"title\":\"Endgame - Alerts Processes\",\"panelRefName\":\"panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":11,\"w\":24,\"h\":15,\"i\":\"7a533f92-16c8-4f34-b31b-8055cce33284\"},\"panelIndex\":\"7a533f92-16c8-4f34-b31b-8055cce33284\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"panelRefName\":\"panel_7a533f92-16c8-4f34-b31b-8055cce33284\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":13,\"i\":\"37330ea4-1070-465d-8356-97f438a273f9\"},\"panelIndex\":\"37330ea4-1070-465d-8356-97f438a273f9\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"name\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\",\"type\":\"lens\",\"id\":\"ca0f3e20-6e48-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7\"}],\"state\":{\"visualization\":{\"layerId\":\"46832f84-f86b-4914-a3ac-aaeda9f09cf7\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"77069155-4e9a-4727-b888-648fed60258e\",\"isTransposed\":false},{\"columnId\":\"e7878efe-2181-449d-afd3-771296665829\",\"isTransposed\":false,\"alignment\":\"center\"},{\"isTransposed\":false,\"columnId\":\"738c056c-c4eb-4855-a690-90fa5b9e23f8\"},{\"isTransposed\":false,\"columnId\":\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\"},{\"isTransposed\":false,\"columnId\":\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\"},{\"isTransposed\":false,\"columnId\":\"6de07e81-5ee7-4885-af47-26b401667757\"},{\"isTransposed\":false,\"columnId\":\"895abdf3-8c99-4473-a904-b379d478aae1\"},{\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\",\"isTransposed\":false,\"hidden\":true}]},\"query\":{\"query\":\"event.kind : \\\"alert\\\" \",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"46832f84-f86b-4914-a3ac-aaeda9f09cf7\":{\"columns\":{\"77069155-4e9a-4727-b888-648fed60258e\":{\"label\":\"event.id (click on + to go to Endgame)\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.id\",\"isBucketed\":true,\"params\":{\"size\":10,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"e7878efe-2181-449d-afd3-771296665829\":{\"label\":\"Severity\",\"dataType\":\"number\",\"operationType\":\"range\",\"sourceField\":\"event.severity\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"type\":\"histogram\",\"ranges\":[{\"from\":0,\"to\":1000,\"label\":\"\"}],\"maxBars\":\"auto\"},\"customLabel\":true},\"738c056c-c4eb-4855-a690-90fa5b9e23f8\":{\"label\":\"Category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.category\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\":{\"label\":\"process.command_line\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.command_line\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\":{\"label\":\"process.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"process.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"6de07e81-5ee7-4885-af47-26b401667757\":{\"label\":\"file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"895abdf3-8c99-4473-a904-b379d478aae1\":{\"label\":\"host.domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.domain\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e30b3573-c58d-4b82-853d-70c1d090d641\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false},\"customLabel\":true},\"e30b3573-c58d-4b82-853d-70c1d090d641\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"77069155-4e9a-4727-b888-648fed60258e\",\"e7878efe-2181-449d-afd3-771296665829\",\"738c056c-c4eb-4855-a690-90fa5b9e23f8\",\"02c8c47e-9b96-4384-b467-1fd9cff2b78b\",\"d61f74aa-1899-4881-a2cc-d0dc7cbf28df\",\"6de07e81-5ee7-4885-af47-26b401667757\",\"895abdf3-8c99-4473-a904-b379d478aae1\",\"e30b3573-c58d-4b82-853d-70c1d090d641\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"28bd4c58-580b-4d1c-b65e-3ddef0fee644\",\"triggers\":[\"VALUE_CLICK_TRIGGER\"],\"action\":{\"factoryId\":\"URL_DRILLDOWN\",\"name\":\"Open event in Endgame\",\"config\":{\"url\":{\"template\":\"https://ENDGAMEHOST/alerts/{{event.value}}\"},\"openInNewTab\":true,\"encodeUrl\":false}}}]}},\"hidePanelTitles\":false,\"type\":\"lens\"},\"title\":\"Endgame - Alerts Event\",\"panelRefName\":\"panel_37330ea4-1070-465d-8356-97f438a273f9\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":39,\"w\":48,\"h\":18,\"i\":\"b3f00dae-22f1-4455-a672-087870874671\"},\"panelIndex\":\"b3f00dae-22f1-4455-a672-087870874671\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b3f00dae-22f1-4455-a672-087870874671\"}]", "timeRestore": false, "title": "Endgame - Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0c8e61c0-67fc-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "3aa898cc-eaa4-47ea-962f-fd5be8255144:panel_3aa898cc-eaa4-47ea-962f-fd5be8255144", "type": "visualization"}, {"id": "914d4890-6e46-11ec-864c-8b5450f97635", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4", "type": "lens"}, {"id": "914d4890-6e46-11ec-864c-8b5450f97635", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4", "type": "lens"}, {"id": "914d4890-6e46-11ec-864c-8b5450f97635", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4", "type": "lens"}, {"id": "914d4890-6e46-11ec-864c-8b5450f97635", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:panel_1ab268d3-b117-4d65-b568-d53af35bebb4", "type": "lens"}, {"id": "endgame-*", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "1ab268d3-b117-4d65-b568-d53af35bebb4:indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b", "type": "index-pattern"}, {"id": "d94cae10-6e46-11ec-864c-8b5450f97635", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb", "type": "lens"}, {"id": "d94cae10-6e46-11ec-864c-8b5450f97635", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb", "type": "lens"}, {"id": "d94cae10-6e46-11ec-864c-8b5450f97635", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb", "type": "lens"}, {"id": "d94cae10-6e46-11ec-864c-8b5450f97635", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:panel_41131702-4832-4ca2-a24c-2418181fa4bb", "type": "lens"}, {"id": "endgame-*", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "41131702-4832-4ca2-a24c-2418181fa4bb:indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32", "type": "index-pattern"}, {"id": "f376b820-6e47-11ec-864c-8b5450f97635", "name": "126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5", "type": "lens"}, {"id": "f376b820-6e47-11ec-864c-8b5450f97635", "name": "126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5", "type": "lens"}, {"id": "f376b820-6e47-11ec-864c-8b5450f97635", "name": "126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5", "type": "lens"}, {"id": "f376b820-6e47-11ec-864c-8b5450f97635", "name": "126f7572-997b-441a-a124-a342a75325d5:panel_126f7572-997b-441a-a124-a342a75325d5", "type": "lens"}, {"id": "endgame-*", "name": "126f7572-997b-441a-a124-a342a75325d5:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "126f7572-997b-441a-a124-a342a75325d5:indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea", "type": "index-pattern"}, {"id": "0406add0-6e48-11ec-864c-8b5450f97635", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da", "type": "lens"}, {"id": "0406add0-6e48-11ec-864c-8b5450f97635", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da", "type": "lens"}, {"id": "0406add0-6e48-11ec-864c-8b5450f97635", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da", "type": "lens"}, {"id": "0406add0-6e48-11ec-864c-8b5450f97635", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:panel_146912f3-f4f8-4cc3-9226-6f516dd3c3da", "type": "lens"}, {"id": "endgame-*", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "146912f3-f4f8-4cc3-9226-6f516dd3c3da:indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103", "type": "index-pattern"}, {"id": "1fd82420-6e3a-11ec-864c-8b5450f97635", "name": "7a533f92-16c8-4f34-b31b-8055cce33284:panel_7a533f92-16c8-4f34-b31b-8055cce33284", "type": "lens"}, {"id": "ca0f3e20-6e48-11ec-864c-8b5450f97635", "name": "37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9", "type": "lens"}, {"id": "ca0f3e20-6e48-11ec-864c-8b5450f97635", "name": "37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9", "type": "lens"}, {"id": "ca0f3e20-6e48-11ec-864c-8b5450f97635", "name": "37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9", "type": "lens"}, {"id": "ca0f3e20-6e48-11ec-864c-8b5450f97635", "name": "37330ea4-1070-465d-8356-97f438a273f9:panel_37330ea4-1070-465d-8356-97f438a273f9", "type": "lens"}, {"id": "endgame-*", "name": "37330ea4-1070-465d-8356-97f438a273f9:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "37330ea4-1070-465d-8356-97f438a273f9:indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7", "type": "index-pattern"}, {"id": "3ab5c280-6f06-11ec-864c-8b5450f97635", "name": "b3f00dae-22f1-4455-a672-087870874671:panel_b3f00dae-22f1-4455-a672-087870874671", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 320], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RADIUS - Reply", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RADIUS - Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"radius.reply_message.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"radius.reply_message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Reply\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0ca071b0-75c5-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 322], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzcyLDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - Sysmon", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "6281da80-c780-11ea-bebb-37c5ab5894ea", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 324], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Sysmon Datasets", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Hostname\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Sysmon Datasets\"}"}, "coreMigrationVersion": "7.16.2", "id": "0caa7df0-c781-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "6281da80-c780-11ea-bebb-37c5ab5894ea", "name": "search_0", "type": "search"}], "sort": [1643385898421, 326], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc0LDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:conn\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - Connections", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 328], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date_range\",\"params\":{\"id\":\"date\",\"params\":{\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"params\":{},\"label\":\"@timestamp date ranges\",\"aggType\":\"date_range\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "34721460-6ebc-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 330], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c9121690-6ea0-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 332], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - State", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"connection.state.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"State\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "23b65290-6ea2-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 334], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Connections - State (Desc)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.state_description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Connection State\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Connections - State (Desc)\"}"}, "coreMigrationVersion": "7.16.2", "id": "dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 336], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Client Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Client Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Client Bytes\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client Bytes\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "98f6e9d0-6ea1-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 338], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Responder Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Bytes\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.bytes\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Bytes\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "70565ec0-6ea1-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 340], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - History", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - History\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection.history.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"History\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "5414ad60-6ea2-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 342], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzgyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:conn\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\"},\"panelIndex\":\"a05b7540-74b1-40db-b1d6-0e151f5bbaba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":13,\"h\":9,\"i\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\"},\"panelIndex\":\"78f096e9-6e6b-4144-a63f-3767deab6c8c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":9,\"i\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\"},\"panelIndex\":\"f24faa4b-0270-44e6-af45-639e2d39c2c3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":11,\"h\":18,\"i\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\"},\"panelIndex\":\"8cc3f2ee-fcc8-4ddb-8f44-ec0b08da4756\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":9,\"w\":12,\"h\":18,\"i\":\"5558d00d-f3fd-4051-96a4-384134149228\"},\"panelIndex\":\"5558d00d-f3fd-4051-96a4-384134149228\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":9,\"w\":13,\"h\":18,\"i\":\"ccdbd90c-299e-4e60-a139-1505f1329071\"},\"panelIndex\":\"ccdbd90c-299e-4e60-a139-1505f1329071\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":9,\"w\":12,\"h\":18,\"i\":\"d678bf2f-f183-4981-9142-976880029daa\"},\"panelIndex\":\"d678bf2f-f183-4981-9142-976880029daa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\"},\"panelIndex\":\"97f0546b-01c5-41c1-9316-099f2b3c8d91\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":27,\"w\":9,\"h\":18,\"i\":\"598bda31-1136-4474-9384-451491a71d23\"},\"panelIndex\":\"598bda31-1136-4474-9384-451491a71d23\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":27,\"w\":9,\"h\":18,\"i\":\"8192def5-399b-4728-8646-edf393b63b7e\"},\"panelIndex\":\"8192def5-399b-4728-8646-edf393b63b7e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":37,\"y\":27,\"w\":11,\"h\":18,\"i\":\"755322ff-13a8-4121-a2db-6322c037e8b3\"},\"panelIndex\":\"755322ff-13a8-4121-a2db-6322c037e8b3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"a03bb16a-9d36-4cad-91a3-256b29489fd7\"},\"panelIndex\":\"a03bb16a-9d36-4cad-91a3-256b29489fd7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "Security Onion - Connections", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0cc628b0-6e9f-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "34721460-6ebc-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "c9121690-6ea0-11ea-9266-1fd14ca6af34", "name": "panel_5", "type": "visualization"}, {"id": "23b65290-6ea2-11ea-9266-1fd14ca6af34", "name": "panel_6", "type": "visualization"}, {"id": "dc3f2c10-c6d6-11ea-bebb-37c5ab5894ea", "name": "panel_7", "type": "visualization"}, {"id": "98f6e9d0-6ea1-11ea-9266-1fd14ca6af34", "name": "panel_8", "type": "visualization"}, {"id": "70565ec0-6ea1-11ea-9266-1fd14ca6af34", "name": "panel_9", "type": "visualization"}, {"id": "5414ad60-6ea2-11ea-9266-1fd14ca6af34", "name": "panel_10", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_11", "type": "search"}], "sort": [1643385898421, 355], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category.keyword : \\\"process\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Event.Cat:Process Logs", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Event.Cat:Process Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}}}"}, "coreMigrationVersion": "7.16.2", "id": "0d0c0750-6348-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 358], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_modbus\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Modbus - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 360], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Modbus - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Modbus - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0d168a30-363f-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 362], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg2LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_weird\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Weird - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 364], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"extended_bounds\":{},\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1},\"schema\":\"segment\",\"type\":\"date_histogram\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"@timestamp per 12 hours\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"line\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"title\":\"Weird - Log Count Over TIme\",\"type\":\"line\"}"}, "coreMigrationVersion": "7.16.2", "id": "0dbcade0-3642-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 366], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg4LDE1XQ=="} +{"attributes": {"columns": ["alert_level", "classification", "description"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[{\"meta\":{\"negate\":false,\"key\":\"tags\",\"value\":\"alert\",\"disabled\":false,\"alias\":null,\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"tags\":{\"query\":\"alert\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "OSSEC - Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 369], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "4fa0e530-3644-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 371], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzkwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Alert Level (Pie Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Alert Level (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"alert_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Alert Level\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "69d98570-398b-11e7-84f8-a1f7cef50fcb", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 373], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG4pcDxQT5EBNmq3pi", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 375], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Event Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Event Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"description.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Description\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"Username\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ee0ba080-4a3d-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 377], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - User to Escalated User (Data Table)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - User to Escalated User (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"escalated_user.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Escalated User\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1de31b40-4a42-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 379], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Command (Data Table)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Command (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9ff34f60-4a42-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 381], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "OSSEC Alerts - Process and Username (Data Table)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"OSSEC Alerts - Process and Username (Data Table)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Process\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "447bd2f0-4a43-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 383], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"h\":60,\"i\":\"1\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"6\",\"w\":16,\"x\":32,\"y\":8},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":true},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":56,\"i\":\"11\",\"w\":48,\"x\":0,\"y\":88},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":8,\"i\":\"12\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"13\",\"w\":24,\"x\":8,\"y\":8},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":24,\"i\":\"14\",\"w\":16,\"x\":32,\"y\":36},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":28,\"i\":\"15\",\"w\":48,\"x\":0,\"y\":60},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"h\":24,\"i\":\"16\",\"w\":24,\"x\":8,\"y\":36},\"panelIndex\":\"16\",\"embeddableConfig\":{\"spy\":null,\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - OSSEC Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0de7a390-3644-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "4fa0e530-3644-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "69d98570-398b-11e7-84f8-a1f7cef50fcb", "name": "panel_2", "type": "visualization"}, {"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "panel_3", "type": "search"}, {"id": "AWDG4pcDxQT5EBNmq3pi", "name": "panel_4", "type": "visualization"}, {"id": "ee0ba080-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_5", "type": "visualization"}, {"id": "1de31b40-4a42-11e8-9b0a-f1d33346f773", "name": "panel_6", "type": "visualization"}, {"id": "9ff34f60-4a42-11e8-9b0a-f1d33346f773", "name": "panel_7", "type": "visualization"}, {"id": "447bd2f0-4a43-11e8-9b0a-f1d33346f773", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 393], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk3LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_snmp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SNMP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 395], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SNMP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0defabb0-36b9-11e7-9786-41a1d72e15ad", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 397], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzNzk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "Security Onion - Alert Data", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Playbook](/kibana/app/dashboards#/view/f449f0a0-c77c-11ea-bebb-37c5ab5894ea) \\n[Suricata](/kibana/app/dashboards#/view/81057f40-7733-11ea-bee5-af7f7c7b8e05) \\n[Wazuh](/kibana/app/dashboards#/view/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n[Zeek](/kibana/app/dashboards#/view/fa9ed760-7734-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Alert Data\"}"}, "coreMigrationVersion": "7.16.2", "id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 398], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODAwLDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:alert\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 400], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Alerts - Count", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Alerts - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"}, "coreMigrationVersion": "7.16.2", "id": "931cb6f0-72ae-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 402], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Alerts Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Alerts Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":null,\"y\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b419b100-72ae-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 404], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODAzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Rule - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Rule - Name\"}"}, "coreMigrationVersion": "7.16.2", "id": "508fb520-72af-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 406], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Rule - Severity", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event.severity_label.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - Rule - Severity\"}"}, "coreMigrationVersion": "7.16.2", "id": "a37b9fa0-72b0-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 408], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Rule - Category", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Rule - Category\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f7e1d570-72ae-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 410], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Destination Ports", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Destination Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 412], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset: alert\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Low & Medium Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":1,\"lt\":3},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"range\":{\"event.severity\":{\"gte\":1,\"lt\":3}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"High & Critical Severity\",\"disabled\":true,\"key\":\"event.severity\",\"negate\":false,\"params\":{\"gte\":3,\"lt\":5},\"type\":\"range\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"range\":{\"event.severity\":{\"gte\":3,\"lt\":5}}}]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":8,\"i\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\"},\"panelIndex\":\"c2ddba4b-b0a1-4204-b952-fdc8073dd3c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":0,\"w\":13,\"h\":8,\"i\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\"},\"panelIndex\":\"5a22818d-a0f7-4b39-978f-bee1e4280a54\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"41a7c313-2dc3-4563-8545-a55f57af532c\"},\"panelIndex\":\"41a7c313-2dc3-4563-8545-a55f57af532c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":29,\"h\":19,\"i\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\"},\"panelIndex\":\"7f00befc-4315-45d2-b686-fa99db9fb79c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\"},\"panelIndex\":\"1fa5c765-6991-4ece-a6a4-cdb6f2d35553\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":19,\"h\":18,\"i\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\"},\"panelIndex\":\"eee74597-fa74-4bf6-9c71-429bfe4c3ecd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":27,\"w\":10,\"h\":18,\"i\":\"fa0e8955-a837-400c-abcb-43394471b39d\"},\"panelIndex\":\"fa0e8955-a837-400c-abcb-43394471b39d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":27,\"w\":10,\"h\":18,\"i\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\"},\"panelIndex\":\"b60abef8-9b1e-4bae-ac3f-d7eb5a230430\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":27,\"w\":9,\"h\":18,\"i\":\"799598a4-39de-455d-bc39-409466b8b119\"},\"panelIndex\":\"799598a4-39de-455d-bc39-409466b8b119\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"a801f4a1-b678-47f2-9602-9c46e65533ca\"},\"panelIndex\":\"a801f4a1-b678-47f2-9602-9c46e65533ca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "0e4af1d0-72ae-11ea-8dd2-9d8795a1200b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "name": "panel_0", "type": "visualization"}, {"id": "931cb6f0-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_1", "type": "visualization"}, {"id": "b419b100-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "508fb520-72af-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "a37b9fa0-72b0-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "f7e1d570-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 425], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA4LDE1XQ=="} +{"attributes": {"columns": ["event_type", "source_ip", "source_port", "destination_ip", "destination_port", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:sysmon\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Sysmon - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 427], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source Hostname\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Hostname\"}},{\"id\":\"7\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "0eb1fd80-6d70-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 429], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Kerberos Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Kerberos Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.client.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0ecc7310-75bd-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 431], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODExLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "All Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 433], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODEyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Sensors/Devices - Total Number of Logs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sensors/Devices - Total Number of Logs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "0f25aac0-3434-11e7-8867-29a39c0f86b2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 435], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSH - Direction", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - SSH - Direction\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.direction.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.direction.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Direction\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "104a4a90-75eb-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 437], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "message_types", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dhcp\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "DHCP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 439], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DHCP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1055ada0-3655-11e7-baa7-b7de4ee40605", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 441], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9629c970-29fd-421c-a46a-0bf72171818e": {"columnOrder": ["398df44e-6553-4353-b8eb-a2d6c9f83dac"], "columns": {"398df44e-6553-4353-b8eb-a2d6c9f83dac": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"registry\" "}, "visualization": {"accessor": "398df44e-6553-4353-b8eb-a2d6c9f83dac", "layerId": "9629c970-29fd-421c-a46a-0bf72171818e", "layerType": "data"}}, "title": "Endgame - All Event.Cat:Registry Logs", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "10af1a20-6cc9-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9629c970-29fd-421c-a46a-0bf72171818e", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 445], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE3LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dce_rpc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "DCE/RPC - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 447], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "10b8a610-3af3-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 449], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODE5LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_radius\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RADIUS - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "75545310-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 451], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODIwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - MAC", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MAC Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "10cd7190-3809-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 453], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source - Sum of Total Bytes ( Tile Map)", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", "version": 1, "visState": "{\"title\":\"Connections - Source - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1156b1e0-46c7-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 455], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Logstash - Processing Performance", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Logstash - Processing Performance\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Log Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Average processing time\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"},{\"data\":{\"id\":\"4\",\"label\":\"Standard Deviation of logstash_time\"},\"drawLinesBetweenPoints\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"mode\":\"stacked\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"customLabel\":\"Average processing time\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"size\":20,\"orderAgg\":{\"id\":\"2-orderAgg\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"orderAgg\",\"params\":{\"field\":\"logstash_time\"}},\"order\":\"desc\",\"orderBy\":\"custom\",\"customLabel\":\"Log Type\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"std_dev\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f86bc870-46ce-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 457], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODIzLDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Errors", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ef487fd0-46cf-11e7-ba56-317a6969f55c", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 459], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Logstash - Error Type (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Logstash - Error Type (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tags.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"include\":\"_csvparsefailure|_grokparsefailure|_rubyexception\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3a273780-46d0-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ef487fd0-46cf-11e7-ba56-317a6969f55c", "name": "search_0", "type": "search"}], "sort": [1643385898421, 461], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Logstash - Avg Processing Time", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Logstash - Avg Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"avg\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHIynExQT5EBNmq49q", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 463], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Logstash - Median Processing TIme", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Logstash - Median Processing TIme\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"median\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\",\"percents\":[50]}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHJY1BxQT5EBNmq5Ay", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 465], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Logstash - Max Processing Time", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Logstash - Max Processing Time\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"logstash_time\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHJpuBxQT5EBNmq5Cr", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 467], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"tags:_grokparsefailure OR tags:_csvparsefailure OR tags:_rubyexception\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Logstash - Error Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Logstash - Error Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHKEF2xQT5EBNmq5FA", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 469], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Sensors/Devices and Services", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sensors/Devices and Services\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d8214de0-4a3a-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 471], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODMwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":12,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":28,\"x\":8,\"y\":36,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":64,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":64,\"x\":0,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":88,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":16,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":24,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":12,\"x\":32,\"y\":0,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":28,\"x\":20,\"y\":36,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Stats", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "130017f0-46ce-11e7-946f-1bfb1be7c36b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "f86bc870-46ce-11e7-946f-1bfb1be7c36b", "name": "panel_0", "type": "visualization"}, {"id": "0f25aac0-3434-11e7-8867-29a39c0f86b2", "name": "panel_1", "type": "visualization"}, {"id": "3a273780-46d0-11e7-946f-1bfb1be7c36b", "name": "panel_2", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_3", "type": "visualization"}, {"id": "ef487fd0-46cf-11e7-ba56-317a6969f55c", "name": "panel_4", "type": "search"}, {"id": "AWDHIynExQT5EBNmq49q", "name": "panel_5", "type": "visualization"}, {"id": "AWDHJY1BxQT5EBNmq5Ay", "name": "panel_6", "type": "visualization"}, {"id": "AWDHJpuBxQT5EBNmq5Cr", "name": "panel_7", "type": "visualization"}, {"id": "AWDHKEF2xQT5EBNmq5FA", "name": "panel_8", "type": "visualization"}, {"id": "d8214de0-4a3a-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 482], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODMxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Destination - Sum of Total Bytes ( Tile Map)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Destination - Sum of Total Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1342e630-4632-11e7-9903-85f789353078", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 484], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODMyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9f5d45b0-a078-4f86-b1f0-8e375d4ad641": {"columnOrder": ["b67d303e-9a64-468a-9297-60ee2bb030cf", "8fdfcdad-b05c-410d-a776-3e8ac8a74dc2"], "columns": {"8fdfcdad-b05c-410d-a776-3e8ac8a74dc2": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "b67d303e-9a64-468a-9297-60ee2bb030cf": {"dataType": "string", "isBucketed": true, "label": "Top values of endgame.event_subtype_full", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "8fdfcdad-b05c-410d-a776-3e8ac8a74dc2", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 6}, "scale": "ordinal", "sourceField": "endgame.event_subtype_full"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["b67d303e-9a64-468a-9297-60ee2bb030cf"], "layerId": "9f5d45b0-a078-4f86-b1f0-8e375d4ad641", "layerType": "data", "legendDisplay": "show", "metric": "8fdfcdad-b05c-410d-a776-3e8ac8a74dc2", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - Event Category Pie Chart", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "137cda90-6a20-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9f5d45b0-a078-4f86-b1f0-8e375d4ad641", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 488], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNS - Response Code Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response Code Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - DNS - Response Code Name\"}"}, "coreMigrationVersion": "7.16.2", "id": "13cda410-c770-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 490], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Username", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "13ed0810-6d72-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 492], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Connection State", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Connection State\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connection_state_description.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection State Description\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "13fe29c0-3b17-11e7-b871-5f76306b9694", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 494], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM2LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_rfb\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "RFB - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 496], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Exclusive Session (Donut Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "version": 1, "visState": "{\"title\":\"RFB - Exclusive Session (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"share_flag.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "14274040-371f-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 498], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Agents", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Agents\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.type.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"agent.version.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Agent\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "14ed9540-6ed7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 500], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODM5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Certificate Key Length (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Key Length (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Key Length\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_key_length\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Key Length\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "150f7280-6e37-11e7-a8d6-ed2e692de531", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 502], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Rule - Description", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Rule - Description\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.description.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1563f380-7737-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 504], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQxLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"(event_type:bro_smb_mapping OR event_type:bro_smb_files)\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SMB - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 506], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "15b4e7a0-3aad-11e7-8b17-0d8709b02c80", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 508], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Server Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DHCP - Server Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Server Address\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "15fa3b30-7375-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 510], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Modbus - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Modbus - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "178209e0-6e1b-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 512], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RDP - Destination Port", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RDP - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "19dfd180-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 514], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ2LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query\":\"event_type:ids\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "NIDS - Alerts", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 516], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Drilldown - Alert Title", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"NIDS - Drilldown - Alert Title\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":12}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"alert.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1b3faca0-e064-11e9-8f0c-2ddbf5ed9290", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 518], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Source IP Address", "uiStateJSON": "{\"P-5\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"P-6\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}},\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Weird - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1b837b00-364e-11e7-9dc3-d35061cb642d", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 520], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Total Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Total Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1c2aeb50-365e-11e7-b896-5bdd6bfa1561", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 522], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMB - Service", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMB - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1c6567b0-75f0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 524], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODUxLDE1XQ=="} +{"attributes": {"columns": ["entry", "entry_location", "image_path", "hostname", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:autoruns\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Autoruns - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "dd700830-6d69-11e7-ad64-15aa071374a6", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 526], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Profile", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Profile\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"profile.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Profile\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1cd6a970-6d79-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 528], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Log Count Over Time", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "969e4820-7dce-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 530], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Alert Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Alert Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert_info.type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f7998d60-7dce-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 532], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Rule", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Rule\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule_name\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Rule\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5e1dc100-7dcf-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 534], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.source.ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 536], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination.ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a26faee0-7dcf-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 538], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "ElastAlert - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"ElastAlert - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"match_body.destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ce25b750-7dcf-11e7-a1a2-3be6827d22ce", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 540], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODU5LDE1XQ=="} +{"attributes": {"columns": ["rule_name", "matches", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "ElastAlert", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e8840d40-7dcf-11e7-a1a2-3be6827d22ce", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 542], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODYwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Elastalert - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Elastalert - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG7DVRxQT5EBNmq3zM", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:elastalert_status*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 544], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODYxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"rule_name\",\"matches\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"},\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - ElastAlert", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "1d98d620-7dce-11e7-846a-150cdcaf3374", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "969e4820-7dce-11e7-a1a2-3be6827d22ce", "name": "panel_1", "type": "visualization"}, {"id": "f7998d60-7dce-11e7-a1a2-3be6827d22ce", "name": "panel_2", "type": "visualization"}, {"id": "5e1dc100-7dcf-11e7-a1a2-3be6827d22ce", "name": "panel_3", "type": "visualization"}, {"id": "8ec77cb0-7dcf-11e7-a1a2-3be6827d22ce", "name": "panel_4", "type": "visualization"}, {"id": "a26faee0-7dcf-11e7-a1a2-3be6827d22ce", "name": "panel_5", "type": "visualization"}, {"id": "ce25b750-7dcf-11e7-a1a2-3be6827d22ce", "name": "panel_6", "type": "visualization"}, {"id": "e8840d40-7dcf-11e7-a1a2-3be6827d22ce", "name": "panel_7", "type": "search"}, {"id": "AWDG7DVRxQT5EBNmq3zM", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 554], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DNS - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1ecdd2e0-34c0-11e7-9b32-bb903919ead9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 556], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Method (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SIP - Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "1ef5c230-6e24-11e7-a261-55504638cf3b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 558], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - MySQL - Command/Argument", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - MySQL - Command/Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.command.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.argument.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Argument\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "1f306f60-75c0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 560], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY1LDE1XQ=="} +{"attributes": {"columns": [], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "20c85b70-53aa-11ec-b3ef-6bcc33056a36", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 562], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Modbus - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Modbus - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "20eabd60-380b-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 564], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNP3 - FC Reply", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "214793c0-75b9-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 566], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Destination Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "21d090d0-365b-11e7-8bd0-1db2c55fb7a1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 568], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Response Code (Name)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Response Code (Name)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rcode_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response Code (Name)\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "22f7de30-4949-11e8-9576-313be7c6b44b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 570], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODcwLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"7d4edcbb-fca9-47d9-93df-acba6aaf6f58": {"columnOrder": ["42bc4d8f-a628-4d50-96ac-b186a03aee07", "0601e3c4-200d-4b97-adec-7f6a16209269", "92a4b279-4a18-4513-a75c-52dcf79a6801"], "columns": {"0601e3c4-200d-4b97-adec-7f6a16209269": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "42bc4d8f-a628-4d50-96ac-b186a03aee07": {"dataType": "string", "isBucketed": true, "label": "Top values of event.action", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "92a4b279-4a18-4513-a75c-52dcf79a6801", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "event.action"}, "92a4b279-4a18-4513-a75c-52dcf79a6801": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["92a4b279-4a18-4513-a75c-52dcf79a6801"], "layerId": "7d4edcbb-fca9-47d9-93df-acba6aaf6f58", "layerType": "data", "seriesType": "bar_stacked", "splitAccessor": "42bc4d8f-a628-4d50-96ac-b186a03aee07", "xAccessor": "0601e3c4-200d-4b97-adec-7f6a16209269"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Network Category Graph", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "22ffcc70-6322-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 575], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODcxLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "destination_port", "resp_fuids", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_http\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "HTTP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 577], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"HTTP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "37f19e40-34c6-11e7-8360-0b86c90983fd", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 579], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Sites", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Sites\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8ba31820-34c6-11e7-8360-0b86c90983fd", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 581], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"\\\"application/x-dosexec\\\"\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "HTTP - Sites Hosting EXEs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Sites Hosting EXEs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Site\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7153e7f0-34c7-11e7-8360-0b86c90983fd", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 583], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - URIs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - URIs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "aa7abb00-34e3-11e7-9669-7f1d3242b798", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 585], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ae1f1fb0-3648-11e7-bf60-314364dd1cde", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 587], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d0f56da0-3648-11e7-bf60-314364dd1cde", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 589], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ae591c20-4164-11e7-9850-b78558d0ac17", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 591], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Referrer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Referrer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"referrer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2a7c21d0-4165-11e7-9850-b78558d0ac17", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 593], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - MIME Type (Tag Cloud)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"HTTP - MIME Type (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":40,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"resp_mime_types.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "934fe550-6e08-11e7-9370-174c4785d3e1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 595], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "HTTP - Destination Port (Vertical Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"HTTP - Destination Port (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75,\"filter\":true},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3f4abb40-6e0a-11e7-84cc-b363f104b3c7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 597], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "HTTP - Destination Country (Vertical Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"HTTP - Destination Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e41a0bd0-6e0a-11e7-84cc-b363f104b3c7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 599], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "HTTP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"HTTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG97t7xQT5EBNmq4E1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 601], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "HTTP - Status and Method", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Status and Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"status_message.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Status Message\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"method.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "66faa650-4c99-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 603], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":52,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":88,\"w\":48,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":112,\"w\":48,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":136,\"w\":48,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":216,\"w\":48,\"h\":36,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"resp_fuids\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":52,\"w\":24,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":52,\"w\":24,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":188,\"w\":48,\"h\":28,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":160,\"w\":48,\"h\":28,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":12,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":20,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":20,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"colors\":{\"Count\":\"#629E51\"}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":28,\"w\":40,\"h\":24,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]", "timeRestore": false, "title": "z16.04 - Bro - HTTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "230134a0-34c6-11e7-8360-0b86c90983fd", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "37f19e40-34c6-11e7-8360-0b86c90983fd", "name": "panel_1", "type": "visualization"}, {"id": "8ba31820-34c6-11e7-8360-0b86c90983fd", "name": "panel_2", "type": "visualization"}, {"id": "7153e7f0-34c7-11e7-8360-0b86c90983fd", "name": "panel_3", "type": "visualization"}, {"id": "aa7abb00-34e3-11e7-9669-7f1d3242b798", "name": "panel_4", "type": "visualization"}, {"id": "fad7d170-342d-11e7-9e93-53b62e1857b2", "name": "panel_5", "type": "search"}, {"id": "ae1f1fb0-3648-11e7-bf60-314364dd1cde", "name": "panel_6", "type": "visualization"}, {"id": "d0f56da0-3648-11e7-bf60-314364dd1cde", "name": "panel_7", "type": "visualization"}, {"id": "ae591c20-4164-11e7-9850-b78558d0ac17", "name": "panel_8", "type": "visualization"}, {"id": "2a7c21d0-4165-11e7-9850-b78558d0ac17", "name": "panel_9", "type": "visualization"}, {"id": "934fe550-6e08-11e7-9370-174c4785d3e1", "name": "panel_10", "type": "visualization"}, {"id": "3f4abb40-6e0a-11e7-84cc-b363f104b3c7", "name": "panel_11", "type": "visualization"}, {"id": "e41a0bd0-6e0a-11e7-84cc-b363f104b3c7", "name": "panel_12", "type": "visualization"}, {"id": "AWDG97t7xQT5EBNmq4E1", "name": "panel_13", "type": "visualization"}, {"id": "66faa650-4c99-11e8-9b0a-f1d33346f773", "name": "panel_14", "type": "visualization"}], "sort": [1643385898421, 619], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Validation Status", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Validation Status\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "23d22bd0-70b4-11e7-810e-2bafe9e41c10", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 621], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":{\"query_string\":{\"query\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "title": "Connections - Bytes and Duration", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Bytes and Duration\",\"type\":\"markdown\",\"params\":{\"markdown\":\"[Top Total Bytes](/kibana/app/dashboards#/view/a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b) \\n[Source - Originator Bytes](/kibana/app/dashboards#/view/68f738e0-46ca-11e7-946f-1bfb1be7c36b) | [Destination - Responder Bytes](/kibana/app/dashboards#/view/b65775e0-46cb-11e7-946f-1bfb1be7c36b) \\n[Source - Sum of Total Bytes](/kibana/app/dashboards#/view/f042ad60-46c6-11e7-946f-1bfb1be7c36b) | [Destination - Sum of Total Bytes](/kibana/app/dashboards#/view/ccfcc540-4638-11e7-a82e-d97152153689) \\n[Source - Top Connection Duration](/kibana/app/dashboards#/view/4e108070-46c7-11e7-946f-1bfb1be7c36b) | [Destination - Top Connection Duration](/kibana/app/dashboards#/view/ea211360-46c4-11e7-a82e-d97152153689)\",\"fontSize\":12,\"openLinksInNewTab\":false},\"aggs\":[]}"}, "coreMigrationVersion": "7.16.2", "id": "25ce6eb0-463b-11e7-a82e-d97152153689", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 622], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg4LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_tunnels\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Tunnels - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 624], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Destination Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Tunnels - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "26457730-3808-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 626], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODkwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RFB - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "265a04d0-3640-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 628], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODkxLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_syslog\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Syslog (Bro) - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 630], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category.keyword : \\\"process\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Event.Cat:Process Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Event.Cat:Process Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"}, "coreMigrationVersion": "7.16.2", "id": "269cd740-634c-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 633], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - Method", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "272b8ab0-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 635], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Bro - Connections - Service By Destination Country", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Bro - Connections - Service By Destination Country\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"split\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\",\"row\":false}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "277f3250-4161-11e7-8493-51634b0a4565", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 637], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RADIUS - Result", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - RADIUS - Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"radius.result.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Result\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "27ab8260-75c5-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 639], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Argument", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_argument.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Argument\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e1907430-35b6-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 641], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Reply Message", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Reply Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"reply_message.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply Message\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "adcd38e0-3679-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 643], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "FTP - Reply Code", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"FTP - Reply Code\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"reply_code.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a0cb0860-367a-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 645], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzODk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "cf9e5660-367a-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 647], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTAwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Destination Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Destination Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f1d3d070-367a-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 649], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Username", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"FTP - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f9904390-3bff-11e7-be35-e7fc4052ff75", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 651], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "eead8540-6e14-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 653], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTAzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FTP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"FTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG9sT_xQT5EBNmq4DI", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 655], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "FTP - Command", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FTP - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d5681260-4c8c-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 657], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":20,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":32,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "z16.04 - Bro - FTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "27f3b380-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "06f21d60-35b6-11e7-a994-c528746bc6e8", "name": "panel_1", "type": "visualization"}, {"id": "e1907430-35b6-11e7-a994-c528746bc6e8", "name": "panel_2", "type": "visualization"}, {"id": "adcd38e0-3679-11e7-8c78-e3086faf385c", "name": "panel_3", "type": "visualization"}, {"id": "a0cb0860-367a-11e7-8c78-e3086faf385c", "name": "panel_4", "type": "visualization"}, {"id": "cf9e5660-367a-11e7-8c78-e3086faf385c", "name": "panel_5", "type": "visualization"}, {"id": "f1d3d070-367a-11e7-8c78-e3086faf385c", "name": "panel_6", "type": "visualization"}, {"id": "f9904390-3bff-11e7-be35-e7fc4052ff75", "name": "panel_7", "type": "visualization"}, {"id": "f21cb5f0-342d-11e7-9e93-53b62e1857b2", "name": "panel_8", "type": "search"}, {"id": "eead8540-6e14-11e7-8624-1fb07dd76c6a", "name": "panel_9", "type": "visualization"}, {"id": "AWDG9sT_xQT5EBNmq4DI", "name": "panel_10", "type": "visualization"}, {"id": "d5681260-4c8c-11e8-9b0a-f1d33346f773", "name": "panel_11", "type": "visualization"}], "sort": [1643385898421, 670], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA2LDE1XQ=="} +{"attributes": {"columns": ["alert_level", "classification", "description"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:ossec\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "OSSEC - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "efba60c0-3642-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 672], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "OSSEC - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"OSSEC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2817b300-3643-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "efba60c0-3642-11e7-a6f7-4f44d7bf1c33", "name": "search_0", "type": "search"}], "sort": [1643385898421, 674], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - PE - Machine", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.machine.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Machine\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Machine\"}"}, "coreMigrationVersion": "7.16.2", "id": "282bf2c0-c763-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 676], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - X.509 - Key Type (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.basic_constraints.ca: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - X.509 - Key Type (Donut)\"}"}, "coreMigrationVersion": "7.16.2", "id": "2895c940-75ef-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 678], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTEwLDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.dataset:http\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - HTTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 680], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTExLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Virtual Host", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Virtual Host\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.virtual_host.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Virtual Host\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "28bf2ef0-6eb7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 682], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTEyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Top Source IPs", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Top Source IPs\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "28c27f80-3b05-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 684], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTEzLDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "request_type", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_kerberos\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Kerberos - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "452daa10-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 686], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "28d04080-3636-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 688], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSH - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSH - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"CLient\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "292b1db0-75ea-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 690], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE2LDE1XQ=="} +{"attributes": {"columns": ["file_ip", "destination_ip", "source", "uid", "fuid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"event_type:bro_files\"}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Files - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 692], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FIles - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FIles - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "295d7ed0-3656-11e7-baa7-b7de4ee40605", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 694], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Target Filename", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Target Filename\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"target_filename.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Filename\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "29611940-6d75-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 696], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTE5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source Country", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Source Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "296823d0-366f-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 698], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTIwLDE1XQ=="} +{"attributes": {"columns": ["action", "reason", "source_ip", "source_port", "destination_ip", "destination_port", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:firewall\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Firewall - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 700], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Action/Reason (Vertical Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Firewall - Action/Reason (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"Action\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"reason.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reason\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2a1eb100-6d82-11e7-bcd4-0d514e0e7da1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 702], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Version", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SNMP - Version\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"top\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"version.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2a3ae810-36ba-11e7-9786-41a1d72e15ad", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 704], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTIzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Lease Time", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dhcp.lease_time: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.lease_time\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2af5f980-96e2-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 706], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Client/Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSH - Client/Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2bbdc020-6e34-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 708], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Registry Events", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Registry Events\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.hostname\",\"orderBy\":\"_key\",\"order\":\"desc\",\"size\":7,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"hostname\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"registry.key\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"registry key\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"registry.value\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"value\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"}, "coreMigrationVersion": "7.16.2", "id": "2cb579d0-64bd-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 711], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Files - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Files - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6571ee10-3584-11e7-a588-05992195c551", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 713], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Files - Files By Size (Bytes)", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Files - Files By Size (Bytes)\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"seen_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Bytes Seen\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "cb3f3850-3585-11e7-8f28-2b291d0f6d86", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 715], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FIles - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FIles - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file_ip.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "67ab33d0-3656-11e7-baa7-b7de4ee40605", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 717], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Files - MIME Type (Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Files - MIME Type (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"rotate\":75,\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"MIME Type\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mimetype.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8c57f3d0-3674-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 719], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTMwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "FIles - MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"FIles - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "aa021c90-3678-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 721], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTMxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Files - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Files - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG9goqxQT5EBNmq4BP", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 723], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTMyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Files - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Files - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "dff32860-4c8b-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 725], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTMzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"file_ip\",\"destination_ip\",\"source\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - Files", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "2d315d80-3582-11e7-98ef-19df58fe538b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "6571ee10-3584-11e7-a588-05992195c551", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "e929e8a0-342d-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "cb3f3850-3585-11e7-8f28-2b291d0f6d86", "name": "panel_3", "type": "visualization"}, {"id": "295d7ed0-3656-11e7-baa7-b7de4ee40605", "name": "panel_4", "type": "visualization"}, {"id": "67ab33d0-3656-11e7-baa7-b7de4ee40605", "name": "panel_5", "type": "visualization"}, {"id": "8c57f3d0-3674-11e7-8c78-e3086faf385c", "name": "panel_6", "type": "visualization"}, {"id": "aa021c90-3678-11e7-8c78-e3086faf385c", "name": "panel_7", "type": "visualization"}, {"id": "AWDG9goqxQT5EBNmq4BP", "name": "panel_8", "type": "visualization"}, {"id": "dff32860-4c8b-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 736], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Kerberos - Request Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Kerberos - Request Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.request_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2d73e460-75bd-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 738], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2da139c0-34e7-11e7-9118-45bd317f0ca4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 740], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SIP - Content Type (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SIP - Content Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"content_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2db47070-3754-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 742], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - X.509 - Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - X.509 - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e3fb39a0-75ee-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 744], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - X.509 - SAN DNS", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - X.509 - SAN DNS\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.san_dns.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.san_dns.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SAN DNS\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "47f40770-75ef-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 746], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTM5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - X.509 - Issuer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - X.509 - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"x509.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b7334c00-75ee-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 748], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - X509 - Key Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"x509.certificate.key.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Key Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - X509 - Key Type\"}"}, "coreMigrationVersion": "7.16.2", "id": "8d4a9990-c77c-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 750], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:x509\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":8,\"i\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\"},\"panelIndex\":\"2d374b61-ac4b-4f89-aec2-254ab0a2e011\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":8,\"i\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\"},\"panelIndex\":\"7372042e-3e70-4764-abb1-0c4c9288ff23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\"},\"panelIndex\":\"eee8c3b6-66eb-4427-99ed-459c294599c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":30,\"h\":22,\"i\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\"},\"panelIndex\":\"3c5d4fc3-bad7-435e-aadc-21de562b638d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":22,\"i\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\"},\"panelIndex\":\"3fb3ec30-312a-45aa-93be-b8955615bf71\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":30,\"h\":21,\"i\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\"},\"panelIndex\":\"0a395978-b95f-4bfc-82fa-737307cd8ebd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":30,\"w\":18,\"h\":21,\"i\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\"},\"panelIndex\":\"e6e39ec1-063a-4e34-a909-4f47397fa79b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":51,\"w\":48,\"h\":29,\"i\":\"3fa098f8-4a37-410e-a8f5-fd3667865c3f\"},\"panelIndex\":\"3fa098f8-4a37-410e-a8f5-fd3667865c3f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - X509", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "2e0865f0-75ee-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "e3fb39a0-75ee-11ea-9565-7315f4ee5cac", "name": "panel_3", "type": "visualization"}, {"id": "47f40770-75ef-11ea-9565-7315f4ee5cac", "name": "panel_4", "type": "visualization"}, {"id": "b7334c00-75ee-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "8d4a9990-c77c-11ea-bebb-37c5ab5894ea", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 759], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RDP - Cookie", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.cookie.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.cookie.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Cookie\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2e7363f0-75c6-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 761], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Entry", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Entry\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"entry_location.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Entry Location\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "2ef9ccd0-6d7a-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 763], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"d3d228ff-cc82-48f3-948f-6dad9c1d9208": {"columnOrder": ["fb32a3f2-725e-4068-abde-754d39d98a5c", "0b079a50-9c2b-47f9-b075-b982490e923c", "0b079a50-9c2b-47f9-b075-b982490e923cX0"], "columns": {"0b079a50-9c2b-47f9-b075-b982490e923c": {"dataType": "number", "isBucketed": false, "label": "count()", "operationType": "formula", "params": {"formula": "count()", "isFormulaBroken": false}, "references": ["0b079a50-9c2b-47f9-b075-b982490e923cX0"], "scale": "ratio"}, "0b079a50-9c2b-47f9-b075-b982490e923cX0": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Part of count()", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "fb32a3f2-725e-4068-abde-754d39d98a5c": {"dataType": "string", "isBucketed": true, "label": "Top values of event.type", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"fallback": true, "type": "alphabetical"}, "orderDirection": "asc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.type"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["fb32a3f2-725e-4068-abde-754d39d98a5c"], "layerId": "d3d228ff-cc82-48f3-948f-6dad9c1d9208", "layerType": "data", "legendDisplay": "show", "metric": "0b079a50-9c2b-47f9-b075-b982490e923c", "nestedLegend": false, "numberDisplay": "percent"}], "palette": {"name": "default", "type": "palette"}, "shape": "donut"}}, "title": "Endgame - Network Type Chart", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "2f20b2c0-6323-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-d3d228ff-cc82-48f3-948f-6dad9c1d9208", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 768], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Change Stats", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"osquery - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2f556c90-14e3-11e9-82f7-0da02d93a48b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "84116380-14e1-11e9-82f7-0da02d93a48b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 770], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"}, "coreMigrationVersion": "7.16.2", "id": "2f7966b0-53a4-11ec-b3ef-6bcc33056a36", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 773], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:files\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - File - Analyzer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - File - Analyzer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.analyzer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.analyzer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Analyzer\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "2fc4bea0-7730-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 775], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ4LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_dnp3\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "DNP3 - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c2587840-342d-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 777], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DNP3 - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "593f1850-3581-11e7-98ef-19df58fe538b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 779], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "dde8c8a0-3719-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 781], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTUxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ef7546c0-3719-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 783], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "4898f230-6e0e-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 785], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG9DWvxQT5EBNmq3-m", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 787], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Function Request", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Function Request\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_request.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "857c6760-4a4d-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 789], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNP3 - Function Reply", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNP3 - Function Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"fc_reply.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Reply\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "bd5435f0-4a4d-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 791], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":12,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":32,\"w\":12,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":32,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - Bro - DNP3", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "2fdf5bf0-3581-11e7-98ef-19df58fe538b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "593f1850-3581-11e7-98ef-19df58fe538b", "name": "panel_1", "type": "visualization"}, {"id": "dde8c8a0-3719-11e7-90f8-87842d5eedc9", "name": "panel_2", "type": "visualization"}, {"id": "ef7546c0-3719-11e7-90f8-87842d5eedc9", "name": "panel_3", "type": "visualization"}, {"id": "c2587840-342d-11e7-9e93-53b62e1857b2", "name": "panel_4", "type": "search"}, {"id": "4898f230-6e0e-11e7-8624-1fb07dd76c6a", "name": "panel_5", "type": "visualization"}, {"id": "AWDG9DWvxQT5EBNmq3-m", "name": "panel_6", "type": "visualization"}, {"id": "857c6760-4a4d-11e8-9b0a-f1d33346f773", "name": "panel_7", "type": "visualization"}, {"id": "bd5435f0-4a4d-11e8-9b0a-f1d33346f773", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 801], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Intel - Seen (Donut Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "version": 1, "visState": "{\"title\":\"Intel - Seen (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"seen_where.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Seen (Where)\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3013af40-399b-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 803], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Authentication Result", "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", "version": 1, "visState": "{\"title\":\"RADIUS - Authentication Result\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "30348db0-4a5b-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 805], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - File/Path Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":5,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"SMB - File/Path Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"File Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"action.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "306c4330-4175-11e7-a0f7-47f4c03e3306", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 807], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTYwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_hostname.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3072c750-6d71-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 809], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTYxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "title": "Security Onion - Navigation", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Navigation\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Event Category** \\n[Alert](/kibana/app/dashboards#/view/0e4af1d0-72ae-11ea-8dd2-9d8795a1200b) | \\n[File](/kibana/app/dashboards#/view/0245be10-6ec1-11ea-9266-1fd14ca6af34) |\\n[Host](/kibana/app/dashboards#/view/92e63cc0-6ec0-11ea-9266-1fd14ca6af34) | [Network](/kibana/app/dashboards#/view/04ff3ef0-6ea4-11ea-9266-1fd14ca6af34) \"},\"aggs\":[]}"}, "coreMigrationVersion": "7.16.2", "id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 810], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTYyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"*\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\"},\"panelIndex\":\"c706b8e5-9d49-4700-a3ea-26e86ac3a4c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":0,\"w\":16,\"h\":8,\"i\":\"77c5d557-83e4-40b9-9177-388db29d711d\"},\"panelIndex\":\"77c5d557-83e4-40b9-9177-388db29d711d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":8,\"i\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\"},\"panelIndex\":\"f044ff9c-455a-4085-88c8-92e9ead2bba0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"54873f75-4452-4938-840d-3a2f50547a88\"},\"panelIndex\":\"54873f75-4452-4938-840d-3a2f50547a88\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":9,\"y\":8,\"w\":13,\"h\":19,\"i\":\"30749cb6-18ad-4069-b18d-5912086fff9c\"},\"panelIndex\":\"30749cb6-18ad-4069-b18d-5912086fff9c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":22,\"y\":8,\"w\":13,\"h\":19,\"i\":\"7c498d50-d009-493a-a8c9-c91303ad5556\"},\"panelIndex\":\"7c498d50-d009-493a-a8c9-c91303ad5556\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":35,\"y\":8,\"w\":13,\"h\":19,\"i\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\"},\"panelIndex\":\"2f69e716-e6e9-4595-801d-8f59b7d2c574\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":31,\"i\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\"},\"panelIndex\":\"6ddfd0a2-337e-47d1-8d4c-bc386a4210af\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Indicator", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "30d0ac90-729f-11ea-8dd2-9d8795a1200b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "d9eb5b30-6ea9-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 819], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Destination IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Source IP\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "30e97190-6eb6-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 821], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Weird - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "312cd460-364e-11e7-9dc3-d35061cb642d", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 823], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RFB - Server Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.server_major_version.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.server_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "316e90a0-75c8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 825], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DHCP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "317f8410-3655-11e7-baa7-b7de4ee40605", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 827], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "31f5e040-3aad-11e7-8b17-0d8709b02c80", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 829], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "title": "Security Onion - Host Data", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"markdown\",\"aggs\":[],\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Home](/kibana/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645) \\n \\n**Modules** \\n[Osquery](/kibana/app/dashboards#/view/bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05) \\n[Sysmon](/kibana/app/dashboards#/view/32f01e80-c780-11ea-bebb-37c5ab5894ea) \\n[Wazuh](/kibana/app/dashboards#/view/9480f190-7732-11ea-bee5-af7f7c7b8e05) \\n\"},\"title\":\"Security Onion - Host Data\"}"}, "coreMigrationVersion": "7.16.2", "id": "df50eba0-6ec0-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 830], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Username", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Username\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Username\"}"}, "coreMigrationVersion": "7.16.2", "id": "767c89f0-af4c-11ea-b262-353d451b125b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 832], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTcwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Host - Process CLI", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Host - Process CLI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.command_line.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Line\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "758187b0-72bd-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 834], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTcxLDE1XQ=="} +{"attributes": {"columns": ["host.name", "event.module", "event.dataset", "process.command_line", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.category:host \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [], "title": "Security Onion - Host Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a866be10-0e45-11eb-a255-e1e8e85e3571", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 836], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTcyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.module:sysmon\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":16,\"i\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\"},\"panelIndex\":\"a49b6a25-fbb1-45bb-9585-c6ade0fced1f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":12,\"y\":7,\"w\":12,\"h\":16,\"i\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\"},\"panelIndex\":\"0172c75f-b90b-4bd6-852f-0852a2ace598\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":7,\"w\":24,\"h\":16,\"i\":\"1d246882-3945-4a7e-b602-15ccf3f09310\"},\"panelIndex\":\"1d246882-3945-4a7e-b602-15ccf3f09310\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"48739737-ef82-4533-9a8e-f9fe0f615b05\"},\"panelIndex\":\"48739737-ef82-4533-9a8e-f9fe0f615b05\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]", "timeRestore": false, "title": "Security Onion - Sysmon", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "32f01e80-c780-11ea-bebb-37c5ab5894ea", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "df50eba0-6ec0-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "767c89f0-af4c-11ea-b262-353d451b125b", "name": "panel_4", "type": "visualization"}, {"id": "758187b0-72bd-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "a866be10-0e45-11eb-a255-e1e8e85e3571", "name": "panel_6", "type": "search"}], "sort": [1643385898421, 844], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNS - Query Type Name (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - DNS - Query Type Name (Donut)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"dns.query.type_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "336dbde0-88aa-11eb-9841-852c8cc8a2e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 846], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Action (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Tunnels - Action (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Action\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "33b39a60-6e35-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 848], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc1LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_irc\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "IRC - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "344c6010-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 850], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Severity (Horizontal Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false},\"spy\":{\"mode\":{\"name\":null,\"fill\":false}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Severity (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":false,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{\"text\":\"Severity\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"severity.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Severity\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "346e5c30-76b7-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 852], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMB - Share Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMB - Share Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.share_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "34762420-75f0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 854], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0": {"columnOrder": ["b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e"], "columns": {"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": "event.category.keyword : \"file\""}, "visualization": {"accessor": "b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e", "layerId": "265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0", "layerType": "data"}}, "title": "Endgame - File All Logs", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "3505d400-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 859], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Intel - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "361d0bd0-35b7-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 861], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Message Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - DHCP - Message Type\"}"}, "coreMigrationVersion": "7.16.2", "id": "36200e40-c76b-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 863], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Changes by Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"osquery - Changes by Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Change Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "369e16e0-14e4-11e9-82f7-0da02d93a48b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "84116380-14e1-11e9-82f7-0da02d93a48b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 865], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Certificate Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "3753e110-365a-11e7-bf60-314364dd1cde", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 867], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - IRC - Command Info", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - IRC - Command Info\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.command.info.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc.command.info.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Info\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "db279540-75bb-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 869], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - User Command Overview", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - User Command Overview\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.nickname.keyword: Descending\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Command Type\",\"aggType\":\"terms\"},{\"accessor\":4,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"irc.username.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.username.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.nickname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"irc.command.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Command Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f7ee5fb0-75bb-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 871], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:irc\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\"},\"panelIndex\":\"2d2b4444-14c0-4812-a22e-ca6d509a0c7f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\"},\"panelIndex\":\"0035e7f6-2c85-494d-88aa-0f6ebc21f6c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\"},\"panelIndex\":\"147c5d40-556b-4b41-a1bb-ed0976fae0c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\"},\"panelIndex\":\"9a9084a5-0f74-4bdd-befd-b9bece56ea53\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":9,\"h\":19,\"i\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\"},\"panelIndex\":\"9ffba622-36f6-4343-b0a3-1c59e3f6d297\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":8,\"w\":15,\"h\":19,\"i\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\"},\"panelIndex\":\"f0f0af04-4f81-437a-ada5-173a1ef8bd11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\"},\"panelIndex\":\"3dab7339-3266-4127-86f3-eef2108d5dbf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":47,\"h\":29,\"i\":\"f5bae4c6-d940-4a76-ba9c-3d5c5ab6849e\"},\"panelIndex\":\"f5bae4c6-d940-4a76-ba9c-3d5c5ab6849e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - IRC", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "38523560-75ba-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "db279540-75bb-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "f7ee5fb0-75bb-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 880], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"d1d0219a-3c5d-4c24-943c-dafe00421b26": {"columnOrder": ["e3d97be9-0be4-484c-96d1-4a0a448d0cc5", "caaf881d-e6f4-42fd-a4a1-4f31bac99ae1", "01d1bced-438c-4d43-8656-c0ccc397b73a", "32e4e9b9-39d0-4f61-827b-d04b53c6963d", "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2"], "columns": {"01d1bced-438c-4d43-8656-c0ccc397b73a": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "process.name"}, "32e4e9b9-39d0-4f61-827b-d04b53c6963d": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "user.name"}, "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Total network.bytes", "operationType": "sum", "scale": "ratio", "sourceField": "network.bytes"}, "caaf881d-e6f4-42fd-a4a1-4f31bac99ae1": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "destination.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "destination.ip"}, "e3d97be9-0be4-484c-96d1-4a0a448d0cc5": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "source.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "source.ip"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "01d1bced-438c-4d43-8656-c0ccc397b73a", "isTransposed": false}, {"columnId": "32e4e9b9-39d0-4f61-827b-d04b53c6963d", "isTransposed": false}, {"columnId": "7351d5b7-3a5e-425e-ae08-c2ba2f5fb4b2", "isTransposed": false}, {"columnId": "e3d97be9-0be4-484c-96d1-4a0a448d0cc5", "isTransposed": false}, {"columnId": "caaf881d-e6f4-42fd-a4a1-4f31bac99ae1", "isTransposed": false}], "layerId": "d1d0219a-3c5d-4c24-943c-dafe00421b26", "layerType": "data"}}, "title": "Endgame - Network Traffic", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "38c95ae0-6e4d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-d1d0219a-3c5d-4c24-943c-dafe00421b26", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 885], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alert Summary - Drilldown", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Alert Summary - Drilldown\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 887], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg4LDE1XQ=="} +{"attributes": {"columns": ["message"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:ossec_archive\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "OSSEC - Archive", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ebf74e90-342f-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 889], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "OSSEC - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"OSSEC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHHXl3xQT5EBNmq42U", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "efba60c0-3642-11e7-a6f7-4f44d7bf1c33", "name": "search_0", "type": "search"}], "sort": [1643385898421, 891], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTkwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":8,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"alert_level\",\"classification\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"columns\":[\"message\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]", "timeRestore": false, "title": "z16.04 - OSSEC", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "3a457d70-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "2817b300-3643-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "efba60c0-3642-11e7-a6f7-4f44d7bf1c33", "name": "panel_2", "type": "search"}, {"id": "ebf74e90-342f-11e7-9e93-53b62e1857b2", "name": "panel_3", "type": "search"}, {"id": "AWDHHXl3xQT5EBNmq42U", "name": "panel_4", "type": "visualization"}], "sort": [1643385898421, 897], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Log Count Over Time Stacked Bar Graph", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Log Count Over Time Stacked Bar Graph\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"group\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"row\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "3ae34620-6258-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 900], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - MySQL - Response", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.response.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3af496e0-75c0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 902], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTkzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9643f560-7a46-408c-b61d-ed2a87fc6103": {"columnOrder": ["305b2f21-9981-40d5-a79b-f7a78eea89b4", "3520723b-f0f3-4845-975c-e97380d8124b"], "columns": {"305b2f21-9981-40d5-a79b-f7a78eea89b4": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3520723b-f0f3-4845-975c-e97380d8124b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "process.name"}, "3520723b-f0f3-4845-975c-e97380d8124b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["305b2f21-9981-40d5-a79b-f7a78eea89b4"], "layerId": "9643f560-7a46-408c-b61d-ed2a87fc6103", "layerType": "data", "legendDisplay": "default", "metric": "3520723b-f0f3-4845-975c-e97380d8124b", "nestedLegend": false, "numberDisplay": "percent"}], "palette": {"name": "kibana_palette", "type": "palette"}, "shape": "treemap"}}, "title": "Endgame - Alerted Processes", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "3b3e2860-6cc1-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 906], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Hosts", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Hosts\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"host.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}"}, "coreMigrationVersion": "7.16.2", "id": "3b50b220-53ab-11ec-b3ef-6bcc33056a36", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 908], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Image", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Image\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":2,\"direction\":\"desc\"},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"parent_image_path.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"None\",\"exclude\":\"\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Parent Image\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3b6c92c0-6d72-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 910], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Syslog - Priority (Vertical bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Syslog - Priority (Vertical bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Priority\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog-priority.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "search_0", "type": "search"}], "sort": [1643385898421, 912], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "IRC - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"IRC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3c073d20-6e17-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 914], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Modbus - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Modbus - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3c65f500-380b-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 916], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzEzOTk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Tunnels - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "3cdf2400-3808-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 918], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDAwLDE1XQ=="} +{"attributes": {"description": null, "state": {"datasourceStates": {"indexpattern": {"layers": {"ada16f03-98be-4005-a5de-c8d6ab2f41b0": {"columnOrder": ["c6cd0d5c-dbcb-47e3-9849-af365d083036", "b8110029-a497-4182-982f-dc8a78dc672d", "ae6e4640-cf44-48dd-9d9d-8849ed9af262"], "columns": {"ae6e4640-cf44-48dd-9d9d-8849ed9af262": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "b8110029-a497-4182-982f-dc8a78dc672d": {"dataType": "string", "isBucketed": true, "label": "Top values of event.module.keyword", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ae6e4640-cf44-48dd-9d9d-8849ed9af262", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "event.module.keyword"}, "c6cd0d5c-dbcb-47e3-9849-af365d083036": {"dataType": "string", "isBucketed": true, "label": "Top values of event.category.keyword", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ae6e4640-cf44-48dd-9d9d-8849ed9af262", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.category.keyword"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["c6cd0d5c-dbcb-47e3-9849-af365d083036", "b8110029-a497-4182-982f-dc8a78dc672d"], "layerId": "ada16f03-98be-4005-a5de-c8d6ab2f41b0", "layerType": "data", "legendDisplay": "default", "metric": "ae6e4640-cf44-48dd-9d9d-8849ed9af262", "nestedLegend": true, "numberDisplay": "percent", "percentDecimals": 2}], "palette": {"name": "status", "type": "palette"}, "shape": "pie"}}, "title": "Security Onion - Data Overview (Lens)", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "3e1a8260-8809-11eb-9841-852c8cc8a2e8", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "logs-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29", "name": "indexpattern-datasource-layer-ada16f03-98be-4005-a5de-c8d6ab2f41b0", "type": "index-pattern"}], "sort": [1643385898421, 921], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - File - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.action.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3e6037d0-75f2-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 923], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NIDS - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "3f040620-4a44-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 925], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDAzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "3f34faa0-3636-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 927], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Agent - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Agent - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "407784f0-7738-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 929], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Connections - Top 10 - Total Bytes By Source IP", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Source IP\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Source IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_ip\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 931], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"X.509 - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "41bee360-3642-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 933], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA3LDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:creation_date AND creation_date:[now-3M TO now]\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "DNS - Domains with creation date < 3 months", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "fce833e0-6f12-11e7-86c8-a1b6db3b051a", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 935], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Baby Domain Requests", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Baby Domain Requests\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"creation_date\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"_term\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "41ec0ca0-6f13-11e7-86c8-a1b6db3b051a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "fce833e0-6f12-11e7-86c8-a1b6db3b051a", "name": "search_0", "type": "search"}], "sort": [1643385898421, 937], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SNMP - Community String", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"snmp.community.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"snmp.community.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Community String\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "424ace90-75e9-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 939], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDEwLDE1XQ=="} +{"attributes": {"columns": [], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"process\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"process\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - Process Search", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "424d7a60-6f0b-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 942], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDExLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"10863c78-73fc-4739-88ea-b6e3419da4db": {"columnOrder": ["e472c6a1-d786-43f7-95f0-df55a990e268", "4e101a7c-04a5-4ab9-96c5-ef10fc92547b"], "columns": {"4e101a7c-04a5-4ab9-96c5-ef10fc92547b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "e472c6a1-d786-43f7-95f0-df55a990e268": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["4e101a7c-04a5-4ab9-96c5-ef10fc92547b"], "layerId": "10863c78-73fc-4739-88ea-b6e3419da4db", "layerType": "data", "position": "top", "seriesType": "line", "showGridlines": false, "xAccessor": "e472c6a1-d786-43f7-95f0-df55a990e268"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "line", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - File Log Count Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 947], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDEyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "42b17660-4a47-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 949], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Syslog - Log Count Over Time", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 10 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "search_0", "type": "search"}], "sort": [1643385898421, 951], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Syslog - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-sourceip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "search_0", "type": "search"}], "sort": [1643385898421, 953], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Syslog - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHKVLMxQT5EBNmq5HX", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "search_0", "type": "search"}], "sort": [1643385898421, 955], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":60,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"syslog-host_from\",\"syslog-priority\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]", "timeRestore": false, "title": "z16.04 - Syslog", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4323af90-76e5-11e7-ab14-e1a4c1bc11e0", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "79a2a4e0-76e5-11e7-ab14-e1a4c1bc11e0", "name": "panel_1", "type": "visualization"}, {"id": "e7a99b10-76e5-11e7-ab14-e1a4c1bc11e0", "name": "panel_2", "type": "visualization"}, {"id": "0a2ce700-76e6-11e7-ab14-e1a4c1bc11e0", "name": "panel_3", "type": "visualization"}, {"id": "3bf1fdc0-76e6-11e7-ab14-e1a4c1bc11e0", "name": "panel_4", "type": "visualization"}, {"id": "5a86ffe0-76e3-11e7-ab14-e1a4c1bc11e0", "name": "panel_5", "type": "search"}, {"id": "AWDHKVLMxQT5EBNmq5HX", "name": "panel_6", "type": "visualization"}], "sort": [1643385898421, 963], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Type (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Tunnels - Type (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "43b2b040-3807-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 965], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Certificate Key Algorithm (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Key Algorithm (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"certificate_key_algorithm.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "446e85c0-6e37-11e7-a8d6-ed2e692de531", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 967], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDE5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Least Common HTTP Methods", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Least Common HTTP Methods\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":13,\"maxFontSize\":39,\"showLabel\":false,\"metric\":{\"type\":\"vis_dimension\",\"accessor\":1,\"format\":{\"id\":\"string\",\"params\":{}}},\"bucket\":{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.method.keyword\",\"orderBy\":\"1\",\"order\":\"asc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6411e5b0-6eb2-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 969], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDIwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Source IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Destination IP\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 971], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"destination.port: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "51ad64d0-6eb7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 973], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - UserAgent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - UserAgent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.useragent.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"UserAgent\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c2f93f40-6ed7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 975], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDIzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - URI", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"http.uri.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"http.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"URI\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f22e8660-6eb6-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 977], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:http\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\"},\"panelIndex\":\"6e3caf86-a1ea-4363-9c73-205de5f43ba9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\"},\"panelIndex\":\"0b0546ef-637b-4a40-b87b-a454b78cc810\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\"},\"panelIndex\":\"9c49b93a-5b5d-4613-8342-c01c69970bce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\"},\"panelIndex\":\"15d7c88b-1619-4290-8968-fa2adfddd72f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\"},\"panelIndex\":\"d1219968-6b7f-4040-9c75-0611b9cbf8a0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":18,\"i\":\"377e3099-7aec-474c-9201-2f1845c58d24\"},\"panelIndex\":\"377e3099-7aec-474c-9201-2f1845c58d24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":23,\"h\":18,\"i\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\"},\"panelIndex\":\"1b444602-2f1c-4c32-85fc-1e5f46235303\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":11,\"h\":18,\"i\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\"},\"panelIndex\":\"9b1df72c-b6fd-4abd-a961-32176c26cc3d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":27,\"w\":10,\"h\":18,\"i\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\"},\"panelIndex\":\"52c3ab70-9b8d-4c26-953d-f1a943fdff38\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":27,\"w\":27,\"h\":18,\"i\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\"},\"panelIndex\":\"ea97cb71-fbb6-46ae-bb4a-4d01c3a6edb2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"17d41692-eb81-4c13-aaa3-2a4bccc125df\"},\"panelIndex\":\"17d41692-eb81-4c13-aaa3-2a4bccc125df\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - HTTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "44e9c820-6eb1-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "6411e5b0-6eb2-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6d0fb2b0-6eb6-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "30e97190-6eb6-11ea-9266-1fd14ca6af34", "name": "panel_4", "type": "visualization"}, {"id": "51ad64d0-6eb7-11ea-9266-1fd14ca6af34", "name": "panel_5", "type": "visualization"}, {"id": "c2f93f40-6ed7-11ea-9266-1fd14ca6af34", "name": "panel_6", "type": "visualization"}, {"id": "088aad70-7377-11ea-a3da-cbdb4f8a90c0", "name": "panel_7", "type": "visualization"}, {"id": "28bf2ef0-6eb7-11ea-9266-1fd14ca6af34", "name": "panel_8", "type": "visualization"}, {"id": "f22e8660-6eb6-11ea-9266-1fd14ca6af34", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 989], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Modbus - Function", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"function.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Function\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "453f8b90-4a58-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 991], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NIDS Alerts - Category", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"NIDS Alerts - Category\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":200},\"position\":\"left\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Category\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"normal\",\"show\":true,\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":true,\"rotate\":75,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"bottom\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "45464b50-3af6-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 993], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Query Class (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DNS - Query Class (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_class_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query Class\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "45a652b0-34c1-11e7-917c-af7a9d11771a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 995], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI4LDE1XQ=="} +{"attributes": {"columns": ["message", "fuid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_pe\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "PE - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "66288140-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 997], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "PE - OS (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"PE - OS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"os.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "45c4ae10-380c-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 999], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDMwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSH - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSH - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.server.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssh.server.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "46221fe0-75ea-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1001], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDMxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "cbb67b00-3af2-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1003], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDMyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1005], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Endpoint", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"endpoint.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Endpoint\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "553acbb0-3af3-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1007], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Named Pipe", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"named_pipe.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Named Pipe\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6b7122d0-3af3-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1009], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Operation", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"operation.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Operation\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "86107960-3af3-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1011], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Round Trip Time", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Round Trip Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rtt\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Round Trip Time\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f275f490-3af3-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1013], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG8k4OxQT5EBNmq37a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1015], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DCE/RPC - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DCE/RPC - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d979b0f0-4a45-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1017], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDM5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "z16.04 - Bro - DCE/RPC", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "46582d50-3af2-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "913c5b80-3aab-11e7-8b17-0d8709b02c80", "name": "panel_0", "type": "search"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "cbb67b00-3af2-11e7-a83b-b1b4da7d15f4", "name": "panel_2", "type": "visualization"}, {"id": "f52f8bc0-3af2-11e7-a83b-b1b4da7d15f4", "name": "panel_3", "type": "visualization"}, {"id": "10b8a610-3af3-11e7-a83b-b1b4da7d15f4", "name": "panel_4", "type": "visualization"}, {"id": "553acbb0-3af3-11e7-a83b-b1b4da7d15f4", "name": "panel_5", "type": "visualization"}, {"id": "6b7122d0-3af3-11e7-a83b-b1b4da7d15f4", "name": "panel_6", "type": "visualization"}, {"id": "86107960-3af3-11e7-a83b-b1b4da7d15f4", "name": "panel_7", "type": "visualization"}, {"id": "f275f490-3af3-11e7-a83b-b1b4da7d15f4", "name": "panel_8", "type": "visualization"}, {"id": "AWDG8k4OxQT5EBNmq37a", "name": "panel_9", "type": "visualization"}, {"id": "d979b0f0-4a45-11e8-9b0a-f1d33346f773", "name": "panel_10", "type": "visualization"}, {"id": "42b17660-4a47-11e8-9b0a-f1d33346f773", "name": "panel_11", "type": "visualization"}], "sort": [1643385898421, 1030], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sources.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "613de590-399b-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1032], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a5571030-399b-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1034], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ba2d3b10-399b-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1036], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Indicator", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Indicator\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"indicator.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Indicator\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6380b430-399c-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1038], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - MIME Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - MIME Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mimetype.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"MIME Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "af614b80-399c-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1040], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Matched", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Matched\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"matched.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type Matched\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c8540380-399c-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1042], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Intel - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a5bcec80-6e15-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1044], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Intel - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Intel - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG-Qf8xQT5EBNmq4G5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1046], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"fuid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - Bro - Intel", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "468022c0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "361d0bd0-35b7-11e7-a994-c528746bc6e8", "name": "panel_1", "type": "visualization"}, {"id": "3013af40-399b-11e7-8472-0151e5b2b475", "name": "panel_2", "type": "visualization"}, {"id": "613de590-399b-11e7-8472-0151e5b2b475", "name": "panel_3", "type": "visualization"}, {"id": "a5571030-399b-11e7-8472-0151e5b2b475", "name": "panel_4", "type": "visualization"}, {"id": "ba2d3b10-399b-11e7-8472-0151e5b2b475", "name": "panel_5", "type": "visualization"}, {"id": "6380b430-399c-11e7-8472-0151e5b2b475", "name": "panel_6", "type": "visualization"}, {"id": "af614b80-399c-11e7-8472-0151e5b2b475", "name": "panel_7", "type": "visualization"}, {"id": "c8540380-399c-11e7-8472-0151e5b2b475", "name": "panel_8", "type": "visualization"}, {"id": "0d4e3a60-342e-11e7-9e93-53b62e1857b2", "name": "panel_9", "type": "search"}, {"id": "a5bcec80-6e15-11e7-8624-1fb07dd76c6a", "name": "panel_10", "type": "visualization"}, {"id": "07622d60-6e16-11e7-8624-1fb07dd76c6a", "name": "panel_11", "type": "visualization"}, {"id": "AWDG-Qf8xQT5EBNmq4G5", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 1060], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Category", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Autoruns - Category\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Category\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"category.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Category\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "482be9b0-6d78-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1062], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Kerberos - Service", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"kerberos.service.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"kerberos.service.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "48331f00-75bd-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1064], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDUxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"860e44c0-e06a-4d8a-9172-b542532df353": {"columnOrder": ["55eacb06-199f-41eb-b6dc-b5b1407b7073", "0c6f3897-05c7-4aa3-90e5-17f58946a3af", "63defa8c-527b-4165-9fb9-4e564bd03695"], "columns": {"0c6f3897-05c7-4aa3-90e5-17f58946a3af": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "55eacb06-199f-41eb-b6dc-b5b1407b7073": {"dataType": "string", "isBucketed": true, "label": "Top values of event.action", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "63defa8c-527b-4165-9fb9-4e564bd03695", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.action"}, "63defa8c-527b-4165-9fb9-4e564bd03695": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["63defa8c-527b-4165-9fb9-4e564bd03695"], "layerId": "860e44c0-e06a-4d8a-9172-b542532df353", "layerType": "data", "position": "top", "seriesType": "bar_stacked", "showGridlines": false, "splitAccessor": "55eacb06-199f-41eb-b6dc-b5b1407b7073", "xAccessor": "0c6f3897-05c7-4aa3-90e5-17f58946a3af"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - File Event Action", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1069], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDUyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"b12aced8-11a0-4a83-a7c5-129f142e8f04": {"columnOrder": ["bc61b519-0caa-4bf7-bbe7-6077fb307d0a", "f549d182-14e5-4395-b185-4cd192e4030c"], "columns": {"bc61b519-0caa-4bf7-bbe7-6077fb307d0a": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "f549d182-14e5-4395-b185-4cd192e4030c", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "user.name"}, "f549d182-14e5-4395-b185-4cd192e4030c": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "bc61b519-0caa-4bf7-bbe7-6077fb307d0a"}, {"columnId": "f549d182-14e5-4395-b185-4cd192e4030c"}], "layerId": "b12aced8-11a0-4a83-a7c5-129f142e8f04", "layerType": "data"}}, "title": "Endgame - File Username", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1074], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDUzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"e5f77e35-1bc5-4487-9602-e2962cafa87b": {"columnOrder": ["ade5af28-bac8-4a2d-adff-28580282a9d2", "bb5f0057-5e74-4baf-9839-aff53de6d145", "e480935c-b388-48c6-9582-fb4600b462fb"], "columns": {"ade5af28-bac8-4a2d-adff-28580282a9d2": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "file.name", "operationType": "terms", "params": {"missingBucket": true, "orderBy": {"columnId": "e480935c-b388-48c6-9582-fb4600b462fb", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 25}, "scale": "ordinal", "sourceField": "file.name"}, "bb5f0057-5e74-4baf-9839-aff53de6d145": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "file.path", "operationType": "terms", "params": {"missingBucket": true, "orderBy": {"columnId": "e480935c-b388-48c6-9582-fb4600b462fb", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "file.path"}, "e480935c-b388-48c6-9582-fb4600b462fb": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "ade5af28-bac8-4a2d-adff-28580282a9d2", "isTransposed": false}, {"columnId": "e480935c-b388-48c6-9582-fb4600b462fb", "isTransposed": false}, {"columnId": "bb5f0057-5e74-4baf-9839-aff53de6d145", "isTransposed": false}], "layerId": "e5f77e35-1bc5-4487-9602-e2962cafa87b", "layerType": "data"}}, "title": "Endgame - File Name", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "676296e0-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1079], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"377145dd-d931-4e01-8719-fa4e36df631a": {"columnOrder": ["6ba09492-0ce8-4f51-9263-e85a0a74225c", "123ad80c-6989-4387-a25a-9f0a60d6ea7b"], "columns": {"123ad80c-6989-4387-a25a-9f0a60d6ea7b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "6ba09492-0ce8-4f51-9263-e85a0a74225c": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "123ad80c-6989-4387-a25a-9f0a60d6ea7b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "host.name"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "6ba09492-0ce8-4f51-9263-e85a0a74225c"}, {"columnId": "123ad80c-6989-4387-a25a-9f0a60d6ea7b"}], "layerId": "377145dd-d931-4e01-8719-fa4e36df631a", "layerType": "data"}}, "title": "Endgame - File Hostname", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "74daec50-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1084], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3320254d-3b41-4746-946e-70357e58da19": {"columnOrder": ["4a9a0ae7-34cc-407e-8f0c-a60c234179b7", "9ee7fb17-68de-4b29-b3e8-21336f4b15ca"], "columns": {"4a9a0ae7-34cc-407e-8f0c-a60c234179b7": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.type", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "9ee7fb17-68de-4b29-b3e8-21336f4b15ca", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.type"}, "9ee7fb17-68de-4b29-b3e8-21336f4b15ca": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["4a9a0ae7-34cc-407e-8f0c-a60c234179b7"], "layerId": "3320254d-3b41-4746-946e-70357e58da19", "layerType": "data", "legendDisplay": "default", "metric": "9ee7fb17-68de-4b29-b3e8-21336f4b15ca", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - File Event Type (Donut)", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1089], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU2LDE1XQ=="} +{"attributes": {"columns": ["file.name", "file.directory"], "description": "", "grid": {}, "hideChart": false, "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - File Search", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "90facda0-6f08-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 1092], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":12,\"i\":\"d3fd89cc-9483-41b1-90e8-c2e86b862d4c\"},\"panelIndex\":\"d3fd89cc-9483-41b1-90e8-c2e86b862d4c\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{}},\"panelRefName\":\"panel_d3fd89cc-9483-41b1-90e8-c2e86b862d4c\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":13,\"h\":12,\"i\":\"dcf897df-beb2-4a1b-86b2-4b8b0370aa94\"},\"panelIndex\":\"dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"3505d400-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\",\"accessor\":\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\",\"layerType\":\"data\"},\"query\":{\"query\":\"event.category.keyword : \\\"file\\\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0\":{\"columns\":{\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"b2fc5f2d-52a4-4e20-9ca6-1afad1b8b45e\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File All Logs\",\"panelRefName\":\"panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":12,\"i\":\"fb5061a4-571d-4f4d-a3b5-fd7851d324ca\"},\"panelIndex\":\"fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"42a22c30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"line\",\"layers\":[{\"layerId\":\"10863c78-73fc-4739-88ea-b6e3419da4db\",\"accessors\":[\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\"],\"position\":\"top\",\"seriesType\":\"line\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"e472c6a1-d786-43f7-95f0-df55a990e268\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"10863c78-73fc-4739-88ea-b6e3419da4db\":{\"columns\":{\"e472c6a1-d786-43f7-95f0-df55a990e268\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"e472c6a1-d786-43f7-95f0-df55a990e268\",\"4e101a7c-04a5-4ab9-96c5-ef10fc92547b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Log Count Over Time\",\"panelRefName\":\"panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":12,\"w\":32,\"h\":16,\"i\":\"30774bd7-ee7f-4c21-aa67-104e961664ee\"},\"panelIndex\":\"30774bd7-ee7f-4c21-aa67-104e961664ee\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsXY\",\"type\":\"lens\",\"references\":[{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"4d6bdc60-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"legend\":{\"isVisible\":true,\"position\":\"right\"},\"valueLabels\":\"hide\",\"fittingFunction\":\"None\",\"yLeftExtent\":{\"mode\":\"full\"},\"yRightExtent\":{\"mode\":\"full\"},\"axisTitlesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"tickLabelsVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"labelsOrientation\":{\"x\":0,\"yLeft\":0,\"yRight\":0},\"gridlinesVisibilitySettings\":{\"x\":true,\"yLeft\":true,\"yRight\":true},\"preferredSeriesType\":\"bar_stacked\",\"layers\":[{\"layerId\":\"860e44c0-e06a-4d8a-9172-b542532df353\",\"accessors\":[\"63defa8c-527b-4165-9fb9-4e564bd03695\"],\"position\":\"top\",\"seriesType\":\"bar_stacked\",\"showGridlines\":false,\"layerType\":\"data\",\"xAccessor\":\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\",\"splitAccessor\":\"55eacb06-199f-41eb-b6dc-b5b1407b7073\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"860e44c0-e06a-4d8a-9172-b542532df353\":{\"columns\":{\"55eacb06-199f-41eb-b6dc-b5b1407b7073\":{\"label\":\"Top values of event.action\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.action\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"63defa8c-527b-4165-9fb9-4e564bd03695\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\":{\"label\":\"@timestamp\",\"dataType\":\"date\",\"operationType\":\"date_histogram\",\"sourceField\":\"@timestamp\",\"isBucketed\":true,\"scale\":\"interval\",\"params\":{\"interval\":\"auto\"}},\"63defa8c-527b-4165-9fb9-4e564bd03695\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"55eacb06-199f-41eb-b6dc-b5b1407b7073\",\"0c6f3897-05c7-4aa3-90e5-17f58946a3af\",\"63defa8c-527b-4165-9fb9-4e564bd03695\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Event Action\",\"panelRefName\":\"panel_30774bd7-ee7f-4c21-aa67-104e961664ee\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":32,\"y\":12,\"w\":16,\"h\":16,\"i\":\"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\"},\"panelIndex\":\"8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"5a43fa30-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"b12aced8-11a0-4a83-a7c5-129f142e8f04\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\"},{\"columnId\":\"f549d182-14e5-4395-b185-4cd192e4030c\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"b12aced8-11a0-4a83-a7c5-129f142e8f04\":{\"columns\":{\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\":{\"label\":\"Top values of user.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"user.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"f549d182-14e5-4395-b185-4cd192e4030c\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"f549d182-14e5-4395-b185-4cd192e4030c\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"bc61b519-0caa-4bf7-bbe7-6077fb307d0a\",\"f549d182-14e5-4395-b185-4cd192e4030c\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Username\",\"panelRefName\":\"panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":31,\"i\":\"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\"},\"panelIndex\":\"cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"ade5af28-bac8-4a2d-adff-28580282a9d2\"},{\"isTransposed\":false,\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},{\"columnId\":\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5f77e35-1bc5-4487-9602-e2962cafa87b\":{\"columns\":{\"ade5af28-bac8-4a2d-adff-28580282a9d2\":{\"label\":\"Top values of file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}},\"e480935c-b388-48c6-9582-fb4600b462fb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bb5f0057-5e74-4baf-9839-aff53de6d145\":{\"label\":\"Top values of file.path\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.path\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}}},\"columnOrder\":[\"ade5af28-bac8-4a2d-adff-28580282a9d2\",\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"e480935c-b388-48c6-9582-fb4600b462fb\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - File Name\",\"panelRefName\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":11,\"i\":\"7e1aecd8-bbbe-453c-868b-8335f5ab65ea\"},\"panelIndex\":\"7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"74daec50-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"layerId\":\"377145dd-d931-4e01-8719-fa4e36df631a\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"6ba09492-0ce8-4f51-9263-e85a0a74225c\"},{\"columnId\":\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"377145dd-d931-4e01-8719-fa4e36df631a\":{\"columns\":{\"6ba09492-0ce8-4f51-9263-e85a0a74225c\":{\"label\":\"Top values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"6ba09492-0ce8-4f51-9263-e85a0a74225c\",\"123ad80c-6989-4387-a25a-9f0a60d6ea7b\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - File Hostname\",\"panelRefName\":\"panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea\"},{\"version\":\"7.16.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":39,\"w\":25,\"h\":20,\"i\":\"9fa50224-7ba0-4adb-806a-bca0ddaf81d0\"},\"panelIndex\":\"9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"82ab9af0-6d6d-11ec-864c-8b5450f97635\",\"name\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\",\"type\":\"lens\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19\",\"type\":\"index-pattern\"},{\"id\":\"endgame-*\",\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"3320254d-3b41-4746-946e-70357e58da19\",\"groups\":[\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\"],\"metric\":\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"default\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"3320254d-3b41-4746-946e-70357e58da19\":{\"columns\":{\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\":{\"label\":\"Top values of event.type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.type\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"4a9a0ae7-34cc-407e-8f0c-a60c234179b7\",\"9ee7fb17-68de-4b29-b3e8-21336f4b15ca\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"fa53d234-1d45-4a90-8468-631012e68ce8\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to File Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Endgame - File Event Type (Donut)\",\"panelRefName\":\"panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0\"},{\"version\":\"7.16.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":59,\"w\":48,\"h\":16,\"i\":\"0f24d345-114e-44a8-ac45-75258008cf3b\"},\"panelIndex\":\"0f24d345-114e-44a8-ac45-75258008cf3b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0f24d345-114e-44a8-ac45-75258008cf3b\"}]", "timeRestore": false, "title": "Endgame - File", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4923ad00-6349-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "d3fd89cc-9483-41b1-90e8-c2e86b862d4c:panel_d3fd89cc-9483-41b1-90e8-c2e86b862d4c", "type": "visualization"}, {"id": "3505d400-6d6d-11ec-864c-8b5450f97635", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94", "type": "lens"}, {"id": "3505d400-6d6d-11ec-864c-8b5450f97635", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94", "type": "lens"}, {"id": "3505d400-6d6d-11ec-864c-8b5450f97635", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94", "type": "lens"}, {"id": "3505d400-6d6d-11ec-864c-8b5450f97635", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94", "type": "lens"}, {"id": "3505d400-6d6d-11ec-864c-8b5450f97635", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:panel_dcf897df-beb2-4a1b-86b2-4b8b0370aa94", "type": "lens"}, {"id": "endgame-*", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:indexpattern-datasource-layer-265fc12b-5b8f-4440-9d9a-77ca0e8b2ac0", "type": "index-pattern"}, {"id": "endgame-*", "name": "dcf897df-beb2-4a1b-86b2-4b8b0370aa94:filter-index-pattern-0", "type": "index-pattern"}, {"id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca", "type": "lens"}, {"id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca", "type": "lens"}, {"id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca", "type": "lens"}, {"id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca", "type": "lens"}, {"id": "42a22c30-6d6d-11ec-864c-8b5450f97635", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:panel_fb5061a4-571d-4f4d-a3b5-fd7851d324ca", "type": "lens"}, {"id": "endgame-*", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:indexpattern-datasource-layer-10863c78-73fc-4739-88ea-b6e3419da4db", "type": "index-pattern"}, {"id": "endgame-*", "name": "fb5061a4-571d-4f4d-a3b5-fd7851d324ca:filter-index-pattern-0", "type": "index-pattern"}, {"id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee", "type": "lens"}, {"id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee", "type": "lens"}, {"id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee", "type": "lens"}, {"id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee", "type": "lens"}, {"id": "4d6bdc60-6d6d-11ec-864c-8b5450f97635", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:panel_30774bd7-ee7f-4c21-aa67-104e961664ee", "type": "lens"}, {"id": "endgame-*", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:indexpattern-datasource-layer-860e44c0-e06a-4d8a-9172-b542532df353", "type": "index-pattern"}, {"id": "endgame-*", "name": "30774bd7-ee7f-4c21-aa67-104e961664ee:filter-index-pattern-0", "type": "index-pattern"}, {"id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1", "type": "lens"}, {"id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1", "type": "lens"}, {"id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1", "type": "lens"}, {"id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1", "type": "lens"}, {"id": "5a43fa30-6d6d-11ec-864c-8b5450f97635", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:panel_8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1", "type": "lens"}, {"id": "endgame-*", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:indexpattern-datasource-layer-b12aced8-11a0-4a83-a7c5-129f142e8f04", "type": "index-pattern"}, {"id": "endgame-*", "name": "8e44a14b-ce7e-4ebf-a1b1-478eb4cab7c1:filter-index-pattern-0", "type": "index-pattern"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "endgame-*", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b", "type": "index-pattern"}, {"id": "endgame-*", "name": "cd2e58e6-ecaf-46ff-89ae-3f6c104137b2:filter-index-pattern-0", "type": "index-pattern"}, {"id": "74daec50-6d6d-11ec-864c-8b5450f97635", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea", "type": "lens"}, {"id": "74daec50-6d6d-11ec-864c-8b5450f97635", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea", "type": "lens"}, {"id": "74daec50-6d6d-11ec-864c-8b5450f97635", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea", "type": "lens"}, {"id": "74daec50-6d6d-11ec-864c-8b5450f97635", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea", "type": "lens"}, {"id": "74daec50-6d6d-11ec-864c-8b5450f97635", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:panel_7e1aecd8-bbbe-453c-868b-8335f5ab65ea", "type": "lens"}, {"id": "endgame-*", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:indexpattern-datasource-layer-377145dd-d931-4e01-8719-fa4e36df631a", "type": "index-pattern"}, {"id": "endgame-*", "name": "7e1aecd8-bbbe-453c-868b-8335f5ab65ea:filter-index-pattern-0", "type": "index-pattern"}, {"id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0", "type": "lens"}, {"id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0", "type": "lens"}, {"id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0", "type": "lens"}, {"id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0", "type": "lens"}, {"id": "82ab9af0-6d6d-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:panel_9fa50224-7ba0-4adb-806a-bca0ddaf81d0", "type": "lens"}, {"id": "endgame-*", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:indexpattern-datasource-layer-3320254d-3b41-4746-946e-70357e58da19", "type": "index-pattern"}, {"id": "endgame-*", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:filter-index-pattern-0", "type": "index-pattern"}, {"id": "4923ad00-6349-11ec-864c-8b5450f97635", "name": "9fa50224-7ba0-4adb-806a-bca0ddaf81d0:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:fa53d234-1d45-4a90-8468-631012e68ce8:dashboardId", "type": "dashboard"}, {"id": "90facda0-6f08-11ec-864c-8b5450f97635", "name": "0f24d345-114e-44a8-ac45-75258008cf3b:panel_0f24d345-114e-44a8-ac45-75258008cf3b", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1153], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - Request From", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - Request From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.request.from.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.request.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Request From\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "49384710-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1155], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"network.transport:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Network - Transport", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Network - Transport\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"network.transport: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"network.transport\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Network Transport\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "499a0690-6ead-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1157], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDYwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Strelka - File - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Strelka - File - Source\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.source.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "49cfe850-772c-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1159], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDYxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3a9904aa-0df2-48a5-b981-ae47f20e29d3": {"columnOrder": ["37a5b642-e2c0-4005-88c9-d4e1f9016648"], "columns": {"37a5b642-e2c0-4005-88c9-d4e1f9016648": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Logs", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"accessor": "37a5b642-e2c0-4005-88c9-d4e1f9016648", "layerId": "3a9904aa-0df2-48a5-b981-ae47f20e29d3", "layerType": "data"}}, "title": "Endgame - Network Metric", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "ec0fa520-6329-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3a9904aa-0df2-48a5-b981-ae47f20e29d3", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1164], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDYyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"909005b3-b986-4bf6-9504-f4a9c877a966": {"columnOrder": ["b65c177b-364a-4656-854a-69e6b07f05ff", "98109e10-1bb1-4a93-bd3f-64a228aba2c4"], "columns": {"98109e10-1bb1-4a93-bd3f-64a228aba2c4": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "b65c177b-364a-4656-854a-69e6b07f05ff": {"dataType": "string", "isBucketed": true, "label": "Top values of network.transport", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "98109e10-1bb1-4a93-bd3f-64a228aba2c4", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "network.transport"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["b65c177b-364a-4656-854a-69e6b07f05ff"], "layerId": "909005b3-b986-4bf6-9504-f4a9c877a966", "layerType": "data", "legendDisplay": "show", "metric": "98109e10-1bb1-4a93-bd3f-64a228aba2c4", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - Network Protocol", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "a82d8250-6324-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1169], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDYzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"f2b4871a-9aca-4016-848c-331b8c221cf7": {"columnOrder": ["a06965e8-9258-490d-9765-54afc2fb5073", "e81257d5-bbe1-406d-b8b7-01db30a05390"], "columns": {"a06965e8-9258-490d-9765-54afc2fb5073": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "source.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e81257d5-bbe1-406d-b8b7-01db30a05390", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 100}, "scale": "ordinal", "sourceField": "source.ip"}, "e81257d5-bbe1-406d-b8b7-01db30a05390": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "a06965e8-9258-490d-9765-54afc2fb5073"}, {"columnId": "e81257d5-bbe1-406d-b8b7-01db30a05390"}], "layerId": "f2b4871a-9aca-4016-848c-331b8c221cf7", "layerType": "data"}}, "title": "Endgame - Network Source IP", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1173], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"d76872f3-61fb-4b26-8440-0ca886e33224": {"columnOrder": ["822af2db-f82f-4f05-a4c3-8c6b7808d79a", "6f747e8d-b264-42e8-ae88-2df81bf5bfa5"], "columns": {"6f747e8d-b264-42e8-ae88-2df81bf5bfa5": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "822af2db-f82f-4f05-a4c3-8c6b7808d79a": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "destination.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "6f747e8d-b264-42e8-ae88-2df81bf5bfa5", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 100}, "scale": "ordinal", "sourceField": "destination.ip"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "822af2db-f82f-4f05-a4c3-8c6b7808d79a"}, {"columnId": "6f747e8d-b264-42e8-ae88-2df81bf5bfa5"}], "layerId": "d76872f3-61fb-4b26-8440-0ca886e33224", "layerType": "data"}}, "title": "Endgame - Network Destination IP", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1177], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY1LDE1XQ=="} +{"attributes": {"columns": [], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"network\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"network\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - Network Search", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4e1aa7c0-6ed2-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 1180], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Endgame - Network Heatmap", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 5,500,000,000\":\"rgb(247,252,245)\",\"5,500,000,000 - 11,000,000,000\":\"rgb(198,232,191)\",\"11,000,000,000 - 16,500,000,000\":\"rgb(114,195,120)\",\"16,500,000,000 - 22,000,000,000\":\"rgb(34,139,69)\"},\"legendOpen\":true}}", "version": 1, "visState": "{\"title\":\"Endgame - Network Heatmap\",\"type\":\"heatmap\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"sum\",\"params\":{\"field\":\"network.bytes\"},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":17,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"source.ip\"},\"schema\":\"group\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":20,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"destination.ip\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"heatmap\",\"addTooltip\":true,\"addLegend\":true,\"enableHover\":false,\"legendPosition\":\"right\",\"times\":[],\"colorsNumber\":4,\"colorSchema\":\"Greens\",\"setColorRange\":false,\"colorsRange\":[],\"invertColors\":false,\"percentageMode\":false,\"valueAxes\":[{\"show\":false,\"id\":\"ValueAxis-1\",\"type\":\"value\",\"scale\":{\"type\":\"linear\",\"defaultYExtents\":false},\"labels\":{\"show\":false,\"rotate\":0,\"overwriteColor\":false,\"color\":\"black\"}}]}}"}, "coreMigrationVersion": "7.16.2", "id": "de389910-6f0a-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "4e1aa7c0-6ed2-11ec-864c-8b5450f97635", "name": "search_0", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1183], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY3LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"89c7faa8-15c2-4772-95a6-8049a683be1a": {"columnOrder": ["0cf6d6cf-9585-4e5f-8729-af8484507670", "fa5a503a-c448-4dc7-8b1e-5679822218ae", "e520b985-a9b8-4183-b29c-61373ed817c8", "9079d4df-8e60-4749-bc38-b3b52782f71d"], "columns": {"0cf6d6cf-9585-4e5f-8729-af8484507670": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "dns.question.type", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "9079d4df-8e60-4749-bc38-b3b52782f71d", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 100}, "scale": "ordinal", "sourceField": "dns.question.type"}, "9079d4df-8e60-4749-bc38-b3b52782f71d": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "e520b985-a9b8-4183-b29c-61373ed817c8": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "dns.question.registered_domain", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "9079d4df-8e60-4749-bc38-b3b52782f71d", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 100}, "scale": "ordinal", "sourceField": "dns.question.registered_domain"}, "fa5a503a-c448-4dc7-8b1e-5679822218ae": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "dns.question.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "9079d4df-8e60-4749-bc38-b3b52782f71d", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 100}, "scale": "ordinal", "sourceField": "dns.question.name"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "0cf6d6cf-9585-4e5f-8729-af8484507670", "isTransposed": false}, {"columnId": "e520b985-a9b8-4183-b29c-61373ed817c8", "isTransposed": false}, {"columnId": "fa5a503a-c448-4dc7-8b1e-5679822218ae", "isTransposed": false}, {"columnId": "9079d4df-8e60-4749-bc38-b3b52782f71d", "isTransposed": false}], "layerId": "89c7faa8-15c2-4772-95a6-8049a683be1a", "layerType": "data"}}, "title": "Endgame - DNS Records", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "85048e40-6329-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1188], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6": {"columnOrder": ["bc7ded30-7099-4284-93f9-61bc44cd1b20", "1219efed-4a09-4e75-b721-b5b581968e14"], "columns": {"1219efed-4a09-4e75-b721-b5b581968e14": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "bc7ded30-7099-4284-93f9-61bc44cd1b20": {"dataType": "string", "isBucketed": true, "label": "Top values of user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "1219efed-4a09-4e75-b721-b5b581968e14", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "user.name"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "network"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "network"}}}, {"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-1", "key": "event.type", "negate": false, "params": {"query": "info"}, "type": "phrase"}, "query": {"match_phrase": {"event.type": "info"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["bc7ded30-7099-4284-93f9-61bc44cd1b20", "bc7ded30-7099-4284-93f9-61bc44cd1b20"], "layerId": "6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6", "layerType": "data", "legendDisplay": "show", "metric": "1219efed-4a09-4e75-b721-b5b581968e14", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - DNS Requests Chart", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "f30bef10-6328-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-6eb1c7b4-ab7b-4b99-8113-5e5eec2db2f6", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-1", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1194], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDY5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":10,\"i\":\"5485c8f5-90ea-409f-8522-f0a58716a12e\"},\"panelIndex\":\"5485c8f5-90ea-409f-8522-f0a58716a12e\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_5485c8f5-90ea-409f-8522-f0a58716a12e\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":14,\"h\":10,\"i\":\"2fcc00ab-4db8-4760-9bd0-111a3cd1c822\"},\"panelIndex\":\"2fcc00ab-4db8-4760-9bd0-111a3cd1c822\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2fcc00ab-4db8-4760-9bd0-111a3cd1c822\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":12,\"h\":13,\"i\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\"},\"panelIndex\":\"0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsPie\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\",\"type\":\"lens\",\"id\":\"a82d8250-6324-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966\"}],\"state\":{\"visualization\":{\"shape\":\"donut\",\"layers\":[{\"layerId\":\"909005b3-b986-4bf6-9504-f4a9c877a966\",\"groups\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\"],\"metric\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\",\"numberDisplay\":\"percent\",\"categoryDisplay\":\"default\",\"legendDisplay\":\"show\",\"nestedLegend\":false,\"layerType\":\"data\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"909005b3-b986-4bf6-9504-f4a9c877a966\":{\"columns\":{\"b65c177b-364a-4656-854a-69e6b07f05ff\":{\"label\":\"Top values of network.transport\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"network.transport\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"column\",\"columnId\":\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"b65c177b-364a-4656-854a-69e6b07f05ff\",\"98109e10-1bb1-4a93-bd3f-64a228aba2c4\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Transport\",\"panelRefName\":\"panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":36,\"y\":0,\"w\":12,\"h\":13,\"i\":\"3db56ff3-17bb-4304-95ca-5b7b6254257a\"},\"panelIndex\":\"3db56ff3-17bb-4304-95ca-5b7b6254257a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3db56ff3-17bb-4304-95ca-5b7b6254257a\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":19,\"i\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\"},\"panelIndex\":\"0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\",\"type\":\"lens\",\"id\":\"22ffcc70-6322-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58\"}],\"state\":{\"visualization\":{\"layerId\":\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\"},{\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"7d4edcbb-fca9-47d9-93df-acba6aaf6f58\":{\"columns\":{\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\":{\"label\":\"Top values of event.category\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"event.category\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"92a4b279-4a18-4513-a75c-52dcf79a6801\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"92a4b279-4a18-4513-a75c-52dcf79a6801\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cbe5805-5e69-4a7e-a5ef-21dfabd592f5\",\"92a4b279-4a18-4513-a75c-52dcf79a6801\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Events\",\"panelRefName\":\"panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":13,\"w\":12,\"h\":16,\"i\":\"55ac1386-6ccb-4926-813d-1dc397a60036\"},\"panelIndex\":\"55ac1386-6ccb-4926-813d-1dc397a60036\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\",\"type\":\"lens\",\"id\":\"ac2e7c60-6e41-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7\"}],\"state\":{\"visualization\":{\"layerId\":\"f2b4871a-9aca-4016-848c-331b8c221cf7\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"a06965e8-9258-490d-9765-54afc2fb5073\"},{\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"f2b4871a-9aca-4016-848c-331b8c221cf7\":{\"columns\":{\"a06965e8-9258-490d-9765-54afc2fb5073\":{\"label\":\"Top values of source.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"source.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e81257d5-bbe1-406d-b8b7-01db30a05390\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e81257d5-bbe1-406d-b8b7-01db30a05390\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"a06965e8-9258-490d-9765-54afc2fb5073\",\"e81257d5-bbe1-406d-b8b7-01db30a05390\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Source IP\",\"panelRefName\":\"panel_55ac1386-6ccb-4926-813d-1dc397a60036\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":36,\"y\":13,\"w\":12,\"h\":16,\"i\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\"},\"panelIndex\":\"0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"name\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\",\"type\":\"lens\",\"id\":\"c7f8be60-6e41-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224\"}],\"state\":{\"visualization\":{\"layerId\":\"d76872f3-61fb-4b26-8440-0ca886e33224\",\"layerType\":\"data\",\"columns\":[{\"columnId\":\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\"},{\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"d76872f3-61fb-4b26-8440-0ca886e33224\":{\"columns\":{\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\":{\"label\":\"Top values of destination.ip\",\"dataType\":\"ip\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"destination.ip\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"822af2db-f82f-4f05-a4c3-8c6b7808d79a\",\"6f747e8d-b264-42e8-ae88-2df81bf5bfa5\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network Destination IP\",\"panelRefName\":\"panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":12,\"i\":\"93e059d5-fc50-4357-9dfa-939f48da5834\"},\"panelIndex\":\"93e059d5-fc50-4357-9dfa-939f48da5834\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_93e059d5-fc50-4357-9dfa-939f48da5834\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":41,\"w\":48,\"h\":21,\"i\":\"cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\"},\"panelIndex\":\"cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":62,\"w\":28,\"h\":17,\"i\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\"},\"panelIndex\":\"1d174f74-9575-4827-8ae0-d5db7d53777b\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"name\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\",\"type\":\"lens\",\"id\":\"85048e40-6329-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a\"}],\"state\":{\"visualization\":{\"layerId\":\"89c7faa8-15c2-4772-95a6-8049a683be1a\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"0cf6d6cf-9585-4e5f-8729-af8484507670\"},{\"isTransposed\":false,\"columnId\":\"e520b985-a9b8-4183-b29c-61373ed817c8\"},{\"isTransposed\":false,\"columnId\":\"fa5a503a-c448-4dc7-8b1e-5679822218ae\"},{\"isTransposed\":false,\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"89c7faa8-15c2-4772-95a6-8049a683be1a\":{\"columns\":{\"0cf6d6cf-9585-4e5f-8729-af8484507670\":{\"label\":\"Top values of dns.question.type\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.type\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"e520b985-a9b8-4183-b29c-61373ed817c8\":{\"label\":\"Top values of dns.question.registered_domain\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.registered_domain\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"fa5a503a-c448-4dc7-8b1e-5679822218ae\":{\"label\":\"Top values of dns.question.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"dns.question.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"9079d4df-8e60-4749-bc38-b3b52782f71d\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":false}},\"9079d4df-8e60-4749-bc38-b3b52782f71d\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"}},\"columnOrder\":[\"0cf6d6cf-9585-4e5f-8729-af8484507670\",\"e520b985-a9b8-4183-b29c-61373ed817c8\",\"fa5a503a-c448-4dc7-8b1e-5679822218ae\",\"9079d4df-8e60-4749-bc38-b3b52782f71d\"],\"incompleteColumns\":{}}}}}}},\"hidePanelTitles\":false,\"enhancements\":{},\"type\":\"lens\"},\"title\":\"Endgame - Network DNS Query\",\"panelRefName\":\"panel_1d174f74-9575-4827-8ae0-d5db7d53777b\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":28,\"y\":62,\"w\":20,\"h\":17,\"i\":\"0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\"},\"panelIndex\":\"0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Network DNS Requests Chart\",\"panelRefName\":\"panel_0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":79,\"w\":48,\"h\":17,\"i\":\"fb5ece46-c6e7-4d56-a48a-607783ad818f\"},\"panelIndex\":\"fb5ece46-c6e7-4d56-a48a-607783ad818f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fb5ece46-c6e7-4d56-a48a-607783ad818f\"}]", "timeRestore": false, "title": "Endgame - Network", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "49d34770-53b2-11ec-b3ef-6bcc33056a36", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "5485c8f5-90ea-409f-8522-f0a58716a12e:panel_5485c8f5-90ea-409f-8522-f0a58716a12e", "type": "visualization"}, {"id": "ec0fa520-6329-11ec-864c-8b5450f97635", "name": "2fcc00ab-4db8-4760-9bd0-111a3cd1c822:panel_2fcc00ab-4db8-4760-9bd0-111a3cd1c822", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "a82d8250-6324-11ec-864c-8b5450f97635", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:panel_0beb83fa-d4cf-47f1-9e57-e3c32bdf2800", "type": "lens"}, {"id": "endgame-*", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "0beb83fa-d4cf-47f1-9e57-e3c32bdf2800:indexpattern-datasource-layer-909005b3-b986-4bf6-9504-f4a9c877a966", "type": "index-pattern"}, {"id": "2f20b2c0-6323-11ec-864c-8b5450f97635", "name": "3db56ff3-17bb-4304-95ca-5b7b6254257a:panel_3db56ff3-17bb-4304-95ca-5b7b6254257a", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "22ffcc70-6322-11ec-864c-8b5450f97635", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:panel_0fd77215-f380-4e05-8e8d-7eff24e7eb10", "type": "lens"}, {"id": "endgame-*", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "0fd77215-f380-4e05-8e8d-7eff24e7eb10:indexpattern-datasource-layer-7d4edcbb-fca9-47d9-93df-acba6aaf6f58", "type": "index-pattern"}, {"id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036", "type": "lens"}, {"id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036", "type": "lens"}, {"id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036", "type": "lens"}, {"id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036", "type": "lens"}, {"id": "ac2e7c60-6e41-11ec-864c-8b5450f97635", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:panel_55ac1386-6ccb-4926-813d-1dc397a60036", "type": "lens"}, {"id": "endgame-*", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "55ac1386-6ccb-4926-813d-1dc397a60036:indexpattern-datasource-layer-f2b4871a-9aca-4016-848c-331b8c221cf7", "type": "index-pattern"}, {"id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6", "type": "lens"}, {"id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6", "type": "lens"}, {"id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6", "type": "lens"}, {"id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6", "type": "lens"}, {"id": "c7f8be60-6e41-11ec-864c-8b5450f97635", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:panel_0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6", "type": "lens"}, {"id": "endgame-*", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "0f3fac52-b7b5-4cf5-bf8e-20e4283df6a6:indexpattern-datasource-layer-d76872f3-61fb-4b26-8440-0ca886e33224", "type": "index-pattern"}, {"id": "38c95ae0-6e4d-11ec-864c-8b5450f97635", "name": "93e059d5-fc50-4357-9dfa-939f48da5834:panel_93e059d5-fc50-4357-9dfa-939f48da5834", "type": "lens"}, {"id": "de389910-6f0a-11ec-864c-8b5450f97635", "name": "cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002:panel_cb25c6cd-4360-4a3f-8c5c-49a1b1a3d002", "type": "visualization"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "85048e40-6329-11ec-864c-8b5450f97635", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:panel_1d174f74-9575-4827-8ae0-d5db7d53777b", "type": "lens"}, {"id": "endgame-*", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "1d174f74-9575-4827-8ae0-d5db7d53777b:indexpattern-datasource-layer-89c7faa8-15c2-4772-95a6-8049a683be1a", "type": "index-pattern"}, {"id": "f30bef10-6328-11ec-864c-8b5450f97635", "name": "0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1:panel_0dc8b0a7-c750-4e4d-8fa3-fa9fb8814fa1", "type": "lens"}, {"id": "4e1aa7c0-6ed2-11ec-864c-8b5450f97635", "name": "fb5ece46-c6e7-4d56-a48a-607783ad818f:panel_fb5ece46-c6e7-4d56-a48a-607783ad818f", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1262], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDcwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Protocol (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DNS - Protocol (Donut Chart)\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "49e04860-4a4e-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1264], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Request Type (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Kerberos - Request Type (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"request_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "4aa0b2a0-6e1a-11e7-89e4-613b96f597e1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1266], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network - Destination IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Network - Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IPs\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "4adca340-6eae-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1268], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:google.com~ -highest_registered_domain:google.com AND highest_registered_domain:youtube.com~ -highest_registered_domain:youtube.com AND highest_registered_domain:facebook.com~ -highest_registered_domain:facebook.com AND highest_registered_domain:wikipedia.org~ -highest_registered_domain:wikipedia.org AND highest_registered_domain:google.co.in~ -highest_registered_domain:google.co.in AND highest_registered_domain:reddit.com~ -highest_registered_domain:reddit.com AND highest_registered_domain:amazon.com~ -highest_registered_domain:amazon.com AND highest_registered_domain:taobao.com~ -highest_registered_domain:taobao.com AND highest_registered_domain:twitter.com~ -highest_registered_domain:twitter.com AND highest_registered_domain:google.co.jp~ -highest_registered_domain:google.co.jp AND highest_registered_domain:instagram.com~ -highest_registered_domain:instagram.com AND highest_registered_domain:sina.com.cn~ -highest_registered_domain:sina.com.cn AND highest_registered_domain:google.co.uk~ -highest_registered_domain:google.co.uk AND highest_registered_domain:linkedin.com~ -highest_registered_domain:linkedin.com AND highest_registered_domain:list.tmall.com~ -highest_registered_domain:list.tmall.com AND highest_registered_domain:google.com.br~ -highest_registered_domain:google.com.br AND highest_registered_domain:google.com.hk~ -highest_registered_domain:google.com.hk AND highest_registered_domain:netflix.com~ -highest_registered_domain:netflix.com AND highest_registered_domain:yahoo.co.jp~ -highest_registered_domain:yahoo.co.jp AND highest_registered_domain:pornhub.com~ -highest_registered_domain:pornhub.com AND highest_registered_domain:xvideos.com~ -highest_registered_domain:xvideos.com AND highest_registered_domain:microsoft.com~ -highest_registered_domain:microsoft.com AND highest_registered_domain:livejasmin.com~ -highest_registered_domain:livejasmin.com AND highest_registered_domain:aliexpress.com~ -highest_registered_domain:aliexpress.com AND highest_registered_domain:stackoverflow.com~ -highest_registered_domain:stackoverflow.com AND highest_registered_domain:wordpress.com~ -highest_registered_domain:wordpress.com AND highest_registered_domain:hao123.com~ -highest_registered_domain:hao123.com AND highest_registered_domain:github.com~ -highest_registered_domain:github.com AND highest_registered_domain:amazon.co.jp~ -highest_registered_domain:amazon.co.jp AND highest_registered_domain:blogspot.com~ -highest_registered_domain:blogspot.com AND highest_registered_domain:pinterest.com~ -highest_registered_domain:pinterest.com AND highest_registered_domain:bongacams.com~ -highest_registered_domain:bongacams.com AND highest_registered_domain:google.com.tr~ -highest_registered_domain:google.com.tr AND highest_registered_domain:popads.net~ -highest_registered_domain:popads.net AND highest_registered_domain:paypal.com~ -highest_registered_domain:paypal.com AND highest_registered_domain:office.com~ -highest_registered_domain:office.com AND highest_registered_domain:google.com.tw~ -highest_registered_domain:google.com.tw AND highest_registered_domain:google.com.au~ -highest_registered_domain:google.com.au AND highest_registered_domain:whatsapp.com~ -highest_registered_domain:whatsapp.com AND highest_registered_domain:microsoftonline.com~ -highest_registered_domain:microsoftonline.com\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "DNS - Phishing Attempts Against Alexa Top Sites", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}", "version": 1, "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"},\"schema\":\"metric\",\"type\":\"count\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTooltip\":true,\"gauge\":{\"backStyle\":\"Full\",\"colorSchema\":\"Green to Red\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"extendRange\":true,\"gaugeColorMode\":\"Labels\",\"gaugeStyle\":\"Full\",\"gaugeType\":\"Arc\",\"invertColors\":false,\"labels\":{\"color\":\"black\",\"show\":true},\"orientation\":\"vertical\",\"percentageMode\":false,\"scale\":{\"color\":\"#333\",\"labels\":false,\"show\":true},\"style\":{\"bgColor\":false,\"bgFill\":\"#eee\",\"bgMask\":false,\"bgWidth\":0.9,\"fontSize\":60,\"labelColor\":true,\"mask\":false,\"maskBars\":50,\"subText\":\"Edit this to reflect your domain(s)\",\"width\":0.9},\"type\":\"meter\",\"alignment\":\"horizontal\"}},\"title\":\"DNS - Phishing Attempts Against Alexa Top Sites\",\"type\":\"gauge\"}"}, "coreMigrationVersion": "7.16.2", "id": "4d89e140-6f09-11e7-9d31-23c0596994a7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1270], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source - Top Connection Duration (Tile Map)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Source - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"source_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5ea38360-46c7-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1272], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[14.604847155053898,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Source - Top Connection Duration", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "4e108070-46c7-11e7-946f-1bfb1be7c36b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "5ea38360-46c7-11e7-946f-1bfb1be7c36b", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 1275], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "PE - Section Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"PE - Section Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"section_names.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "4e56b4d0-416f-11e7-9850-b78558d0ac17", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1277], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DHCP - IP to MAC Assignment", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - IP to MAC Assignment\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false,\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"assigned_ip.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mac.keyword\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "4e877100-4a48-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1279], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSL - Issuer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSL - Issuer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.issuer.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.issuer.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Issuer\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "4e8cbf80-75ec-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1281], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Server Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Server Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "4fade7b0-6e22-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1283], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Firewall - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e76d2eb0-6d6b-11e7-ad64-15aa071374a6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1285], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Firewall - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c3a06740-6d75-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1287], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Firewall - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "df06de60-6d75-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1289], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Destination Port", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Firewall - Destination Port\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "fcf75bc0-6d75-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1291], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Protocol", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Firewall - Protocol\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"ipv4_protocol.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f8f0dbc0-6d82-11e7-912f-0950e6d5c322", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1293], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Firewall - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Firewall - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHH3kBxQT5EBNmq459", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1295], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":60,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":36,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":36,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":16,\"x\":32,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":60,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"action\",\"reason\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - Firewall", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "50173bd0-3582-11e7-98ef-19df58fe538b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "e76d2eb0-6d6b-11e7-ad64-15aa071374a6", "name": "panel_1", "type": "visualization"}, {"id": "c3a06740-6d75-11e7-b09b-f57b22df6524", "name": "panel_2", "type": "visualization"}, {"id": "df06de60-6d75-11e7-b09b-f57b22df6524", "name": "panel_3", "type": "visualization"}, {"id": "2a1eb100-6d82-11e7-bcd4-0d514e0e7da1", "name": "panel_4", "type": "visualization"}, {"id": "fcf75bc0-6d75-11e7-b09b-f57b22df6524", "name": "panel_5", "type": "visualization"}, {"id": "f8f0dbc0-6d82-11e7-912f-0950e6d5c322", "name": "panel_6", "type": "visualization"}, {"id": "37c16940-6d6b-11e7-ad64-15aa071374a6", "name": "panel_7", "type": "search"}, {"id": "AWDHH3kBxQT5EBNmq459", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 1305], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - File Size", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - File Size\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.size: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.size\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Size\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "50b4c880-72df-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1307], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RDP - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "524e13b0-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1309], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNS - Answers", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.answers.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dns.answers.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Answer\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "536876a0-72ba-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1311], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDkwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Tunnels - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "53824da0-6e35-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1313], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SIP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5393c710-3640-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1315], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "53ac63e0-365b-11e7-8bd0-1db2c55fb7a1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1317], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDkzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"0600494b-6f03-450b-8dab-981005aedf32": {"columnOrder": ["0f00561d-d6d7-46b2-af59-4ea225a9893a", "34e0e2cc-aab4-4581-9bc4-aba527024007"], "columns": {"0f00561d-d6d7-46b2-af59-4ea225a9893a": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "34e0e2cc-aab4-4581-9bc4-aba527024007": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "params": {"format": {"id": "number", "params": {"decimals": 0}}}, "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": false, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["34e0e2cc-aab4-4581-9bc4-aba527024007"], "layerId": "0600494b-6f03-450b-8dab-981005aedf32", "layerType": "data", "position": "top", "seriesType": "bar", "showGridlines": false, "xAccessor": "0f00561d-d6d7-46b2-af59-4ea225a9893a"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Alert Log Count Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "53b9b490-6cc1-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-0600494b-6f03-450b-8dab-981005aedf32", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1321], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "source_port", "destination_ip", "destination_port", "uid", "_id"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_smtp\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "SMTP - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1323], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Webmail - True/False (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"SMTP - Webmail - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Webmail\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"is_webmail.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Webmail\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "53beb0d0-6e29-11e7-8b76-75eee0095daa", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1325], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSH - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "54d78f50-6e33-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1327], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - NTLM - Success", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - NTLM - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.success: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ntlm.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e9f31a70-75c2-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1329], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - NTLM - Tree", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - NTLM - Tree\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ntlm.server.tree.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.tree.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Tree\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8cb83890-75c2-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1331], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MDk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - NTLM - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - NTLM - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Netbios\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"DNS\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.nb.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"NetBIOS\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ntlm.server.dns.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"\",\"customLabel\":\"DNS\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "63f139c0-75c2-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1333], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTAwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ntlm\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\"},\"panelIndex\":\"4555a871-9c2c-48d4-b143-bffc6d41ea4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":16,\"h\":9,\"i\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\"},\"panelIndex\":\"0bc9ae29-cbc1-4272-ad27-9c2ff51c19ff\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d32748d9-d47b-41bb-ab9f-b59817230998\"},\"panelIndex\":\"d32748d9-d47b-41bb-ab9f-b59817230998\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":18,\"i\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\"},\"panelIndex\":\"2f7a5ee8-2258-4c8d-af2d-99a9e11defa2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":18,\"i\":\"4a50def3-c905-4493-b352-59741d68326e\"},\"panelIndex\":\"4a50def3-c905-4493-b352-59741d68326e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":10,\"h\":18,\"i\":\"075d7365-e106-4a1e-b003-bab7abbb7146\"},\"panelIndex\":\"075d7365-e106-4a1e-b003-bab7abbb7146\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":9,\"w\":9,\"h\":18,\"i\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\"},\"panelIndex\":\"5202d0b2-7f34-4182-8e25-ec87d4df0965\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"f93042fa-bdd7-495f-af7b-eec95073e015\"},\"panelIndex\":\"f93042fa-bdd7-495f-af7b-eec95073e015\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"c72c241d-5b6f-475c-831b-4419dd437a26\"},\"panelIndex\":\"c72c241d-5b6f-475c-831b-4419dd437a26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - NTLM", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "558292e0-75c1-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "e9f31a70-75c2-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "8cb83890-75c2-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "63f139c0-75c2-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 1343], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTAxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dns\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\"},\"panelIndex\":\"ae3e83b1-5e53-40eb-8e4f-541e4851ddd2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\"},\"panelIndex\":\"4b8b4859-bd5c-446c-94e1-6d9b57cbe922\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\"},\"panelIndex\":\"ee03c5c1-9e26-42e3-b569-afa2712d7047\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":19,\"i\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\"},\"panelIndex\":\"706d8a5a-a263-48d0-8eb8-12eeade27115\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":19,\"i\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\"},\"panelIndex\":\"bf29b086-8b8d-47a5-8280-afeb737d6163\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":18,\"y\":9,\"w\":8,\"h\":19,\"i\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\"},\"panelIndex\":\"e99fb09c-6d8a-4a26-87ca-9ab82ef137c9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":26,\"y\":9,\"w\":11,\"h\":19,\"i\":\"499d1548-292c-47a9-8f26-73a6af91d004\"},\"panelIndex\":\"499d1548-292c-47a9-8f26-73a6af91d004\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":23,\"h\":21,\"i\":\"e41240ec-8024-4f3f-9de0-869622470e4d\"},\"panelIndex\":\"e41240ec-8024-4f3f-9de0-869622470e4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":23,\"y\":28,\"w\":25,\"h\":21,\"i\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\"},\"panelIndex\":\"fe297ab2-9a4b-438c-913b-7b5d1dea6182\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":29,\"i\":\"ae756423-c1d9-46f8-a1ee-28ee9626349d\"},\"panelIndex\":\"ae756423-c1d9-46f8-a1ee-28ee9626349d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.11.2\",\"gridData\":{\"x\":37,\"y\":9,\"w\":11,\"h\":19,\"i\":\"e79ec813-6af2-4618-ad48-a25444a8abe4\"},\"panelIndex\":\"e79ec813-6af2-4618-ad48-a25444a8abe4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - DNS", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "55ac6bf0-6ec4-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "13cda410-c770-11ea-bebb-37c5ab5894ea", "name": "panel_6", "type": "visualization"}, {"id": "07065340-72ba-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "visualization"}, {"id": "536876a0-72ba-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}, {"id": "336dbde0-88aa-11eb-9841-852c8cc8a2e8", "name": "panel_10", "type": "visualization"}], "sort": [1643385898421, 1355], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTAyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"e980cacd-054a-4c43-95aa-1b036dac04fd": {"columnOrder": ["81df4048-abc0-4b0f-a7ec-9cf28f8cb367", "528ff47c-2e2a-40e5-a5be-2983ecff6031", "c2e1a93b-7344-40a5-9926-fc15afd832f0", "5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a", "ad97207d-9f1a-4d60-9db3-0719f5596b29"], "columns": {"528ff47c-2e2a-40e5-a5be-2983ecff6031": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "IP", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ad97207d-9f1a-4d60-9db3-0719f5596b29", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.ip"}, "5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Version", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ad97207d-9f1a-4d60-9db3-0719f5596b29", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.os.version"}, "81df4048-abc0-4b0f-a7ec-9cf28f8cb367": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Hostname", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ad97207d-9f1a-4d60-9db3-0719f5596b29", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "host.name"}, "ad97207d-9f1a-4d60-9db3-0719f5596b29": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Total Logs", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "c2e1a93b-7344-40a5-9926-fc15afd832f0": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "OS", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ad97207d-9f1a-4d60-9db3-0719f5596b29", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.os.name"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "ad97207d-9f1a-4d60-9db3-0719f5596b29", "isTransposed": false}, {"columnId": "81df4048-abc0-4b0f-a7ec-9cf28f8cb367", "isTransposed": false}, {"columnId": "528ff47c-2e2a-40e5-a5be-2983ecff6031", "isTransposed": false}, {"columnId": "c2e1a93b-7344-40a5-9926-fc15afd832f0", "isTransposed": false}, {"columnId": "5c038dd2-ec5b-4ef9-8e5c-7c2db912c05a", "isTransposed": false}], "layerId": "e980cacd-054a-4c43-95aa-1b036dac04fd", "layerType": "data"}}, "title": "Endgame - Host Table", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "55edc2d0-68b4-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-e980cacd-054a-4c43-95aa-1b036dac04fd", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1359], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTAzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "IRC - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"IRC - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "85b1f890-35b7-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1361], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "IRC - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"IRC - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bf959cb0-35b7-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1363], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "IRC - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"IRC - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e4615200-35b7-11e7-a994-c528746bc6e8", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1365], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "IRC - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"IRC - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG_HoKxQT5EBNmq4KN", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1367], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "IRC - Destination Country", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"IRC - Destination Country\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Country\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_geo.city_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination City\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f625b7b0-4a56-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1369], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "IRC - Command", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"IRC - Command\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"irc_command.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Command\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "7bc09930-4a57-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1371], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTA5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - Bro - IRC", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "56a34ce0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "85b1f890-35b7-11e7-a994-c528746bc6e8", "name": "panel_1", "type": "visualization"}, {"id": "bf959cb0-35b7-11e7-a994-c528746bc6e8", "name": "panel_2", "type": "visualization"}, {"id": "e4615200-35b7-11e7-a994-c528746bc6e8", "name": "panel_3", "type": "visualization"}, {"id": "344c6010-342e-11e7-9e93-53b62e1857b2", "name": "panel_4", "type": "search"}, {"id": "3c073d20-6e17-11e7-8624-1fb07dd76c6a", "name": "panel_5", "type": "visualization"}, {"id": "AWDG_HoKxQT5EBNmq4KN", "name": "panel_6", "type": "visualization"}, {"id": "f625b7b0-4a56-11e8-9b0a-f1d33346f773", "name": "panel_7", "type": "visualization"}, {"id": "7bc09930-4a57-11e8-9b0a-f1d33346f773", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 1381], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "57a9a3f0-34c0-11e7-9b32-bb903919ead9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1383], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTExLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DHCP - Lease Time", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - Lease Time\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"lease_time.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Lease Time\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "58c84f60-0edb-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1385], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTEyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"46832f84-f86b-4914-a3ac-aaeda9f09cf7": {"columnOrder": ["77069155-4e9a-4727-b888-648fed60258e", "e7878efe-2181-449d-afd3-771296665829", "738c056c-c4eb-4855-a690-90fa5b9e23f8", "02c8c47e-9b96-4384-b467-1fd9cff2b78b", "d61f74aa-1899-4881-a2cc-d0dc7cbf28df", "6de07e81-5ee7-4885-af47-26b401667757", "895abdf3-8c99-4473-a904-b379d478aae1", "e30b3573-c58d-4b82-853d-70c1d090d641"], "columns": {"02c8c47e-9b96-4384-b467-1fd9cff2b78b": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.command_line", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.command_line"}, "6de07e81-5ee7-4885-af47-26b401667757": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "file.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "file.name"}, "738c056c-c4eb-4855-a690-90fa5b9e23f8": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Category", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "event.category"}, "77069155-4e9a-4727-b888-648fed60258e": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.id (click on + to go to Endgame)", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "event.id"}, "895abdf3-8c99-4473-a904-b379d478aae1": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.domain", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.domain"}, "d61f74aa-1899-4881-a2cc-d0dc7cbf28df": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.name"}, "e30b3573-c58d-4b82-853d-70c1d090d641": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "e7878efe-2181-449d-afd3-771296665829": {"customLabel": true, "dataType": "number", "isBucketed": true, "label": "Severity", "operationType": "range", "params": {"maxBars": "auto", "ranges": [{"from": 0, "label": "", "to": 1000}], "type": "histogram"}, "scale": "interval", "sourceField": "event.severity"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"columns": [{"columnId": "77069155-4e9a-4727-b888-648fed60258e", "isTransposed": false}, {"alignment": "center", "columnId": "e7878efe-2181-449d-afd3-771296665829", "isTransposed": false}, {"columnId": "738c056c-c4eb-4855-a690-90fa5b9e23f8", "isTransposed": false}, {"columnId": "02c8c47e-9b96-4384-b467-1fd9cff2b78b", "isTransposed": false}, {"columnId": "d61f74aa-1899-4881-a2cc-d0dc7cbf28df", "isTransposed": false}, {"columnId": "6de07e81-5ee7-4885-af47-26b401667757", "isTransposed": false}, {"columnId": "895abdf3-8c99-4473-a904-b379d478aae1", "isTransposed": false}, {"columnId": "e30b3573-c58d-4b82-853d-70c1d090d641", "hidden": true, "isTransposed": false}], "layerId": "46832f84-f86b-4914-a3ac-aaeda9f09cf7", "layerType": "data"}}, "title": "Endgame - Alerts with drilldown", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "5a203910-6cbe-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-46832f84-f86b-4914-a3ac-aaeda9f09cf7", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1389], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"query\":\"*\",\"analyze_wildcard\":true,\"default_field\":\"*\"}},\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Devices - Log Count By Device", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Devices - Log Count By Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Device\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "5b3988c0-a840-11e7-893a-1b88920b2837", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1391], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RDP - Client Build", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RDP - Client Build\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.client_build.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.client_build.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Build\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "bdae8640-75c5-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1393], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RDP - Security Protocol", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RDP - Security Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rdp.security_protocol.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rdp.security_protocol.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Protocol\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "dad85840-75c5-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1395], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rdp\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\"},\"panelIndex\":\"1aacbaf6-078a-4b6e-bbd2-ae21a4974aba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\"},\"panelIndex\":\"8abc0250-1076-45e8-b62b-54dc7dd0cfca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\"},\"panelIndex\":\"dc48b27e-f00b-4723-87ab-64f726e51e74\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\"},\"panelIndex\":\"da3945b4-9e74-4bb9-8868-a13f1d9bc0d8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f4437b55-61ef-4818-a8c4-448407c7052b\"},\"panelIndex\":\"f4437b55-61ef-4818-a8c4-448407c7052b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":7,\"h\":19,\"i\":\"33630c53-4de4-4064-a319-bd71be01dc06\"},\"panelIndex\":\"33630c53-4de4-4064-a319-bd71be01dc06\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":8,\"w\":7,\"h\":19,\"i\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\"},\"panelIndex\":\"ed8dee78-79d4-47cf-9ed5-6120f00f3aaf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":7,\"h\":19,\"i\":\"35083762-4591-44ac-a31f-36bed3414af2\"},\"panelIndex\":\"35083762-4591-44ac-a31f-36bed3414af2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":8,\"w\":9,\"h\":19,\"i\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\"},\"panelIndex\":\"66e7cf00-ec90-4df3-acd3-02fb271f0959\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"f84fe347-bdda-4297-b460-eee297f7e91e\"},\"panelIndex\":\"f84fe347-bdda-4297-b460-eee297f7e91e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - RDP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "5b743150-75c5-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "bdae8640-75c5-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "dad85840-75c5-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "0c006bb0-75c6-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "2e7363f0-75c6-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 1406], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Nodes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Nodes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "5cba9760-6e9b-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1408], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Logs", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":50}}}}"}, "coreMigrationVersion": "7.16.2", "id": "e2da1340-53a3-11ec-b3ef-6bcc33056a36", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1411], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTE5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Categories with Full Event Type", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Categories with Full Event Type\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"endgame.event_type_full\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Event Type\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Event Category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "af1768b0-53ac-11ec-b3ef-6bcc33056a36", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1414], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTIwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"fe254730-eee5-4aff-b672-a83e54b49c12\"},\"panelIndex\":\"fe254730-eee5-4aff-b672-a83e54b49c12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_fe254730-eee5-4aff-b672-a83e54b49c12\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":0,\"w\":25,\"h\":9,\"i\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\"},\"panelIndex\":\"5e96a8cf-1dab-4df2-a4be-baf960448da4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5e96a8cf-1dab-4df2-a4be-baf960448da4\"},{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":38,\"y\":0,\"w\":10,\"h\":9,\"i\":\"38c65a86-724b-4c25-818b-1564fbb3793f\"},\"panelIndex\":\"38c65a86-724b-4c25-818b-1564fbb3793f\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Alert Count\",\"description\":\"\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}},\"uiState\":{},\"data\":{\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"searchSource\":{\"index\":\"endgame-*\",\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"index\":\"endgame-*\",\"key\":\"event.action\",\"negate\":false,\"params\":{\"query\":\"detection\"},\"type\":\"phrase\"},\"query\":{\"match_phrase\":{\"event.action\":\"detection\"}}}]}}},\"enhancements\":{},\"type\":\"visualization\"}},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":9,\"w\":13,\"h\":16,\"i\":\"680adbf3-9347-4c45-87b8-d87587e38b09\"},\"panelIndex\":\"680adbf3-9347-4c45-87b8-d87587e38b09\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_680adbf3-9347-4c45-87b8-d87587e38b09\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":13,\"y\":9,\"w\":25,\"h\":16,\"i\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\"},\"panelIndex\":\"6569d104-bb49-4de6-8d2d-9dc49739b291\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6569d104-bb49-4de6-8d2d-9dc49739b291\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":25,\"w\":48,\"h\":13,\"i\":\"4a354630-93fd-4370-b10f-80386aee6d00\"},\"panelIndex\":\"4a354630-93fd-4370-b10f-80386aee6d00\",\"embeddableConfig\":{\"columns\":[],\"enhancements\":{}},\"panelRefName\":\"panel_4a354630-93fd-4370-b10f-80386aee6d00\"}]", "timeRestore": false, "title": "Endgame - Host", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "5d8f04d0-53b6-11ec-b3ef-6bcc33056a36", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "e2da1340-53a3-11ec-b3ef-6bcc33056a36", "name": "fe254730-eee5-4aff-b672-a83e54b49c12:panel_fe254730-eee5-4aff-b672-a83e54b49c12", "type": "visualization"}, {"id": "2f7966b0-53a4-11ec-b3ef-6bcc33056a36", "name": "5e96a8cf-1dab-4df2-a4be-baf960448da4:panel_5e96a8cf-1dab-4df2-a4be-baf960448da4", "type": "visualization"}, {"id": "endgame-*", "name": "38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "38c65a86-724b-4c25-818b-1564fbb3793f:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "3b50b220-53ab-11ec-b3ef-6bcc33056a36", "name": "680adbf3-9347-4c45-87b8-d87587e38b09:panel_680adbf3-9347-4c45-87b8-d87587e38b09", "type": "visualization"}, {"id": "af1768b0-53ac-11ec-b3ef-6bcc33056a36", "name": "6569d104-bb49-4de6-8d2d-9dc49739b291:panel_6569d104-bb49-4de6-8d2d-9dc49739b291", "type": "visualization"}, {"id": "20c85b70-53aa-11ec-b3ef-6bcc33056a36", "name": "4a354630-93fd-4370-b10f-80386aee6d00:panel_4a354630-93fd-4370-b10f-80386aee6d00", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1423], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "MySQL - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"MySQL - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5d9031a0-363f-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1425], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RFB - Client Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Major Version\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_major_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.client_minor_version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Minor Version\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "5dcf09e0-75c8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1427], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTIzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Connection Information", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Connection Information\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"connect_info.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection Info\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5df79fe0-3809-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1429], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Host - Process Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process.executable.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process Image\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"process.command_line.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Host - Process Name\"}"}, "coreMigrationVersion": "7.16.2", "id": "5e18a970-c77f-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1431], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - URI", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"uri.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"URI\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "5e36c370-3753-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1433], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FTP - Argument", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - FTP - Argument\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.argument.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "5fcdb0c0-755f-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1435], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - FIle Path", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMB - FIle Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Path\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "60384e00-3aaf-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1437], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"97b747de-fee3-4557-84f6-3d6aecd1f5c7": {"columnOrder": ["dccdca2f-fac1-43ce-8c74-d50a8a007366"], "columns": {"dccdca2f-fac1-43ce-8c74-d50a8a007366": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Hosts", "operationType": "unique_count", "scale": "ratio", "sourceField": "host.ip"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"accessor": "dccdca2f-fac1-43ce-8c74-d50a8a007366", "layerId": "97b747de-fee3-4557-84f6-3d6aecd1f5c7", "layerType": "data"}}, "title": "Endgame - Hosts Metric", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1441], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTI5LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"fac6e4a9-2d36-463c-b2b0-b451546f6f20": {"columnOrder": ["2bea62c1-f8ef-43c3-b9c3-1931437bc5db"], "columns": {"2bea62c1-f8ef-43c3-b9c3-1931437bc5db": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Alerts", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.action", "negate": false, "params": {"query": "detection"}, "type": "phrase"}, "query": {"match_phrase": {"event.action": "detection"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"accessor": "2bea62c1-f8ef-43c3-b9c3-1931437bc5db", "layerId": "fac6e4a9-2d36-463c-b2b0-b451546f6f20", "layerType": "data"}}, "title": "Endgame - Alerts Metric", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1446], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTMwLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"8acd9613-749e-4ecc-a97e-24fa0c586661": {"columnOrder": ["8449f044-6a5e-439c-96a6-8512972b0b47", "d31636dd-3123-499d-b049-f8f62bf4886c", "78001c1d-52c1-42ad-ae15-d7d53f63443d"], "columns": {"78001c1d-52c1-42ad-ae15-d7d53f63443d": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "8449f044-6a5e-439c-96a6-8512972b0b47": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "d31636dd-3123-499d-b049-f8f62bf4886c": {"dataType": "string", "isBucketed": true, "label": "Top values of host.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "78001c1d-52c1-42ad-ae15-d7d53f63443d", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.name"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["78001c1d-52c1-42ad-ae15-d7d53f63443d"], "layerId": "8acd9613-749e-4ecc-a97e-24fa0c586661", "layerType": "data", "position": "top", "seriesType": "bar_stacked", "showGridlines": false, "splitAccessor": "d31636dd-3123-499d-b049-f8f62bf4886c", "xAccessor": "8449f044-6a5e-439c-96a6-8512972b0b47"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Logs Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "82185ff0-696d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-8acd9613-749e-4ecc-a97e-24fa0c586661", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1450], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTMxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9643f560-7a46-408c-b61d-ed2a87fc6103": {"columnOrder": ["305b2f21-9981-40d5-a79b-f7a78eea89b4", "3520723b-f0f3-4845-975c-e97380d8124b"], "columns": {"305b2f21-9981-40d5-a79b-f7a78eea89b4": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3520723b-f0f3-4845-975c-e97380d8124b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "process.name"}, "3520723b-f0f3-4845-975c-e97380d8124b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"process\" "}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["305b2f21-9981-40d5-a79b-f7a78eea89b4"], "layerId": "9643f560-7a46-408c-b61d-ed2a87fc6103", "layerType": "data", "legendDisplay": "default", "metric": "3520723b-f0f3-4845-975c-e97380d8124b", "nestedLegend": false, "numberDisplay": "percent"}], "palette": {"name": "kibana_palette", "type": "palette"}, "shape": "treemap"}}, "title": "Endgame - Processes", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "e2cff350-6ccc-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1454], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTMyLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3c3da49b-8bd7-4bda-a105-3ca8d03a92a1": {"columnOrder": ["5879e1c5-7dc8-47b4-9e77-fcc86dace366"], "columns": {"5879e1c5-7dc8-47b4-9e77-fcc86dace366": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"process\" "}, "visualization": {"accessor": "5879e1c5-7dc8-47b4-9e77-fcc86dace366", "layerId": "3c3da49b-8bd7-4bda-a105-3ca8d03a92a1", "layerType": "data"}}, "title": "Endgame - Process Logs", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "ed1f0300-6cd1-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3c3da49b-8bd7-4bda-a105-3ca8d03a92a1", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1458], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTMzLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"13fd0aca-d81f-48ad-8ec0-f46d3fc261b9": {"columnOrder": ["198cf7c0-6033-4379-bfca-2216fc2b6c1b", "17394250-c888-4ac8-aff4-4a735e5d1c54"], "columns": {"17394250-c888-4ac8-aff4-4a735e5d1c54": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "198cf7c0-6033-4379-bfca-2216fc2b6c1b": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"process\" "}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["17394250-c888-4ac8-aff4-4a735e5d1c54"], "layerId": "13fd0aca-d81f-48ad-8ec0-f46d3fc261b9", "layerType": "data", "position": "top", "seriesType": "area", "showGridlines": false, "xAccessor": "198cf7c0-6033-4379-bfca-2216fc2b6c1b"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "area", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Process Log Count Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "f1e98360-6cd1-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-13fd0aca-d81f-48ad-8ec0-f46d3fc261b9", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1462], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3b6026b4-9c36-4fbc-9f90-bd5580303bea": {"columnOrder": ["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721", "ff0a89b4-427d-4739-bb83-86794a1f4289"], "columns": {"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "user.name"}, "ff0a89b4-427d-4739-bb83-86794a1f4289": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"process\" "}, "visualization": {"columns": [{"columnId": "d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"}, {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289"}], "layerId": "3b6026b4-9c36-4fbc-9f90-bd5580303bea", "layerType": "data"}}, "title": "Endgame - Process Users", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "e88fd030-6ccc-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1466], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"b4bc52f0-5c52-4bea-97fb-eb59f08750c7": {"columnOrder": ["9c1ca31d-300f-4b75-868b-8a44e94694c6", "dda96a38-363d-4f03-8c65-3d8376f7050e"], "columns": {"9c1ca31d-300f-4b75-868b-8a44e94694c6": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.action", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "dda96a38-363d-4f03-8c65-3d8376f7050e", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "event.action"}, "dda96a38-363d-4f03-8c65-3d8376f7050e": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category: \"process\" "}, "visualization": {"columns": [{"columnId": "9c1ca31d-300f-4b75-868b-8a44e94694c6"}, {"columnId": "dda96a38-363d-4f03-8c65-3d8376f7050e"}], "layerId": "b4bc52f0-5c52-4bea-97fb-eb59f08750c7", "layerType": "data"}}, "title": "Endgame - Process Actions", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "edca7780-6ccc-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-b4bc52f0-5c52-4bea-97fb-eb59f08750c7", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1470], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"c2cf18da-c9a6-487f-9ddb-efd26330a73b": {"columnOrder": ["ba18fc18-b228-49c5-b67f-f16d03268eb5", "63fe9cc9-dd12-49c3-b6f6-51722074d378", "0194a818-8b41-44d5-9081-e0351a922200", "e17daf81-0320-4352-84b8-598d1b19f924"], "columns": {"0194a818-8b41-44d5-9081-e0351a922200": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.executable", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e17daf81-0320-4352-84b8-598d1b19f924", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.executable"}, "63fe9cc9-dd12-49c3-b6f6-51722074d378": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.command_line", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e17daf81-0320-4352-84b8-598d1b19f924", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "process.command_line"}, "ba18fc18-b228-49c5-b67f-f16d03268eb5": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "process.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "e17daf81-0320-4352-84b8-598d1b19f924", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "process.name"}, "e17daf81-0320-4352-84b8-598d1b19f924": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"process\" "}, "visualization": {"columns": [{"columnId": "ba18fc18-b228-49c5-b67f-f16d03268eb5", "isTransposed": false, "width": 243}, {"columnId": "63fe9cc9-dd12-49c3-b6f6-51722074d378", "isTransposed": false, "width": 599}, {"columnId": "0194a818-8b41-44d5-9081-e0351a922200", "isTransposed": false, "width": 771}, {"columnId": "e17daf81-0320-4352-84b8-598d1b19f924", "isTransposed": false, "width": 233}], "layerId": "c2cf18da-c9a6-487f-9ddb-efd26330a73b", "layerType": "data"}}, "title": "Endgame - Process Information", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "dbb93900-6ccc-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-c2cf18da-c9a6-487f-9ddb-efd26330a73b", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1474], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":11,\"i\":\"26712c83-24f3-4af6-a20e-edab103002fd\"},\"panelIndex\":\"26712c83-24f3-4af6-a20e-edab103002fd\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_26712c83-24f3-4af6-a20e-edab103002fd\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":11,\"h\":11,\"i\":\"b7feb2b8-999d-433e-9b12-85aacdc61f16\"},\"panelIndex\":\"b7feb2b8-999d-433e-9b12-85aacdc61f16\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Logs\",\"panelRefName\":\"panel_b7feb2b8-999d-433e-9b12-85aacdc61f16\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":19,\"y\":0,\"w\":29,\"h\":11,\"i\":\"8b515da9-7c43-4e1a-872f-e92da896933f\"},\"panelIndex\":\"8b515da9-7c43-4e1a-872f-e92da896933f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Log Count Over Time\",\"panelRefName\":\"panel_8b515da9-7c43-4e1a-872f-e92da896933f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":24,\"h\":15,\"i\":\"7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\"},\"panelIndex\":\"7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Processes\",\"panelRefName\":\"panel_7837aa9f-dca6-4a7b-9881-65f26b2a5f4f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":11,\"w\":10,\"h\":15,\"i\":\"26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\"},\"panelIndex\":\"26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Users\",\"panelRefName\":\"panel_26df0dd7-8042-4e69-a4b1-c8ed5a677f6a\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":34,\"y\":11,\"w\":14,\"h\":15,\"i\":\"508bbc67-1a96-465d-b30d-23aecaaf4895\"},\"panelIndex\":\"508bbc67-1a96-465d-b30d-23aecaaf4895\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Process Actions\",\"panelRefName\":\"panel_508bbc67-1a96-465d-b30d-23aecaaf4895\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":14,\"i\":\"a89ab8ad-a272-405f-8db8-4f722bbfeb61\"},\"panelIndex\":\"a89ab8ad-a272-405f-8db8-4f722bbfeb61\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Process Information\",\"panelRefName\":\"panel_a89ab8ad-a272-405f-8db8-4f722bbfeb61\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":17,\"i\":\"9248209e-9f35-48c5-958c-3cab215eb410\"},\"panelIndex\":\"9248209e-9f35-48c5-958c-3cab215eb410\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9248209e-9f35-48c5-958c-3cab215eb410\"}]", "timeRestore": false, "title": "Endgame - Process", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "790991a0-6287-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "26712c83-24f3-4af6-a20e-edab103002fd:panel_26712c83-24f3-4af6-a20e-edab103002fd", "type": "visualization"}, {"id": "ed1f0300-6cd1-11ec-864c-8b5450f97635", "name": "b7feb2b8-999d-433e-9b12-85aacdc61f16:panel_b7feb2b8-999d-433e-9b12-85aacdc61f16", "type": "lens"}, {"id": "f1e98360-6cd1-11ec-864c-8b5450f97635", "name": "8b515da9-7c43-4e1a-872f-e92da896933f:panel_8b515da9-7c43-4e1a-872f-e92da896933f", "type": "lens"}, {"id": "e2cff350-6ccc-11ec-864c-8b5450f97635", "name": "7837aa9f-dca6-4a7b-9881-65f26b2a5f4f:panel_7837aa9f-dca6-4a7b-9881-65f26b2a5f4f", "type": "lens"}, {"id": "e88fd030-6ccc-11ec-864c-8b5450f97635", "name": "26df0dd7-8042-4e69-a4b1-c8ed5a677f6a:panel_26df0dd7-8042-4e69-a4b1-c8ed5a677f6a", "type": "lens"}, {"id": "edca7780-6ccc-11ec-864c-8b5450f97635", "name": "508bbc67-1a96-465d-b30d-23aecaaf4895:panel_508bbc67-1a96-465d-b30d-23aecaaf4895", "type": "lens"}, {"id": "dbb93900-6ccc-11ec-864c-8b5450f97635", "name": "a89ab8ad-a272-405f-8db8-4f722bbfeb61:panel_a89ab8ad-a272-405f-8db8-4f722bbfeb61", "type": "lens"}, {"id": "424d7a60-6f0b-11ec-864c-8b5450f97635", "name": "9248209e-9f35-48c5-958c-3cab215eb410:panel_9248209e-9f35-48c5-958c-3cab215eb410", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1484], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"521cff19-8a9b-4da3-9494-488b27d4dd82": {"columnOrder": ["8dfaf54f-d93c-4ec7-b0ba-eb0952346f84", "34b55020-af44-47dd-8789-141a3bded802", "1f3dc877-ccc1-43a6-8405-b2866867032c"], "columns": {"1f3dc877-ccc1-43a6-8405-b2866867032c": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "34b55020-af44-47dd-8789-141a3bded802": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "registry.key", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "1f3dc877-ccc1-43a6-8405-b2866867032c", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "registry.key"}, "8dfaf54f-d93c-4ec7-b0ba-eb0952346f84": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.hostname", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "1f3dc877-ccc1-43a6-8405-b2866867032c", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "host.name"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category : \"registry\" "}, "visualization": {"columns": [{"columnId": "8dfaf54f-d93c-4ec7-b0ba-eb0952346f84", "isTransposed": false}, {"columnId": "34b55020-af44-47dd-8789-141a3bded802", "isTransposed": false}, {"columnId": "1f3dc877-ccc1-43a6-8405-b2866867032c", "isTransposed": false}], "layerId": "521cff19-8a9b-4da3-9494-488b27d4dd82", "layerType": "data"}}, "title": "Endgame - Registry Events", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "e1e12ab0-6cc5-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-521cff19-8a9b-4da3-9494-488b27d4dd82", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1488], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTM5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":11,\"h\":9,\"i\":\"64356467-dfe4-4eed-b53d-0cdf0b94f6d0\"},\"panelIndex\":\"64356467-dfe4-4eed-b53d-0cdf0b94f6d0\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_64356467-dfe4-4eed-b53d-0cdf0b94f6d0\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":11,\"y\":0,\"w\":15,\"h\":9,\"i\":\"cc23bd7c-9000-4af9-875e-5779794011d0\"},\"panelIndex\":\"cc23bd7c-9000-4af9-875e-5779794011d0\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"panelRefName\":\"panel_cc23bd7c-9000-4af9-875e-5779794011d0\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":26,\"y\":0,\"w\":11,\"h\":9,\"i\":\"276394f1-fa5b-42b2-ab7c-8db18bd367a3\"},\"panelIndex\":\"276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\",\"type\":\"lens\",\"id\":\"df2ef610-6a1f-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7\"}],\"state\":{\"visualization\":{\"layerId\":\"97b747de-fee3-4557-84f6-3d6aecd1f5c7\",\"accessor\":\"dccdca2f-fac1-43ce-8c74-d50a8a007366\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"97b747de-fee3-4557-84f6-3d6aecd1f5c7\":{\"columns\":{\"dccdca2f-fac1-43ce-8c74-d50a8a007366\":{\"label\":\"Hosts\",\"dataType\":\"number\",\"operationType\":\"unique_count\",\"scale\":\"ratio\",\"sourceField\":\"host.ip\",\"isBucketed\":false,\"customLabel\":true}},\"columnOrder\":[\"dccdca2f-fac1-43ce-8c74-d50a8a007366\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":37,\"y\":0,\"w\":11,\"h\":9,\"i\":\"2c8d6219-3e37-47c9-bfb2-9330167ad7b8\"},\"panelIndex\":\"2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsMetric\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"name\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\",\"type\":\"lens\",\"id\":\"d07fce50-6a1f-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20\"},{\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\",\"id\":\"endgame-*\"}],\"state\":{\"visualization\":{\"layerId\":\"fac6e4a9-2d36-463c-b2b0-b451546f6f20\",\"accessor\":\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.action\",\"params\":{\"query\":\"detection\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.action\":\"detection\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"fac6e4a9-2d36-463c-b2b0-b451546f6f20\":{\"columns\":{\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\":{\"label\":\"Alerts\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\",\"customLabel\":true}},\"columnOrder\":[\"2bea62c1-f8ef-43c3-b9c3-1931437bc5db\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":9,\"w\":48,\"h\":13,\"i\":\"f702b2f2-5fc3-4a29-90a6-0d0d223fd358\"},\"panelIndex\":\"f702b2f2-5fc3-4a29-90a6-0d0d223fd358\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f702b2f2-5fc3-4a29-90a6-0d0d223fd358\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":22,\"w\":48,\"h\":14,\"i\":\"93800440-ed84-48b6-8055-c58a5d290ec6\"},\"panelIndex\":\"93800440-ed84-48b6-8055-c58a5d290ec6\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"name\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\",\"type\":\"lens\",\"id\":\"03935e10-6a20-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e\"}],\"state\":{\"visualization\":{\"columns\":[{\"columnId\":\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\",\"isTransposed\":false},{\"columnId\":\"b76f4623-7690-4ad3-ae68-d19b80a2361a\",\"isTransposed\":false}],\"layerId\":\"1828f449-a2e9-4ed2-a72c-e6f22382569e\",\"layerType\":\"data\"},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"1828f449-a2e9-4ed2-a72c-e6f22382569e\":{\"columns\":{\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\":{\"label\":\"Top values of host.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"host.name\",\"isBucketed\":true,\"params\":{\"size\":5,\"orderBy\":{\"type\":\"alphabetical\",\"fallback\":true},\"orderDirection\":\"asc\",\"otherBucket\":true,\"missingBucket\":false}},\"b76f4623-7690-4ad3-ae68-d19b80a2361a\":{\"label\":\"Last value of host.ip\",\"dataType\":\"ip\",\"operationType\":\"last_value\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"host.ip\",\"params\":{\"sortField\":\"@timestamp\"}}},\"columnOrder\":[\"e5498d4d-b9af-4016-8afc-e4639ceb6c10\",\"b76f4623-7690-4ad3-ae68-d19b80a2361a\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"type\":\"lens\"},\"panelRefName\":\"panel_93800440-ed84-48b6-8055-c58a5d290ec6\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":36,\"w\":48,\"h\":14,\"i\":\"f389ba6c-bcad-4564-aca0-e696e2981239\"},\"panelIndex\":\"f389ba6c-bcad-4564-aca0-e696e2981239\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_f389ba6c-bcad-4564-aca0-e696e2981239\"},{\"version\":\"7.15.2\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":50,\"w\":48,\"h\":18,\"i\":\"1ae20b57-e5db-4e2b-b45b-51132e0892d2\"},\"panelIndex\":\"1ae20b57-e5db-4e2b-b45b-51132e0892d2\",\"embeddableConfig\":{\"enhancements\":{},\"vis\":null},\"panelRefName\":\"panel_1ae20b57-e5db-4e2b-b45b-51132e0892d2\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":68,\"w\":23,\"h\":16,\"i\":\"64991e9b-5624-4d8d-9624-3077e970068f\"},\"panelIndex\":\"64991e9b-5624-4d8d-9624-3077e970068f\",\"embeddableConfig\":{\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"842ed2f7-3fb1-4c0d-a62c-dd9d06de42da\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"Go to Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}},\"hidePanelTitles\":false},\"title\":\"Endgame - Network DNS Requests Chart\",\"panelRefName\":\"panel_64991e9b-5624-4d8d-9624-3077e970068f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":23,\"y\":68,\"w\":25,\"h\":16,\"i\":\"d3b35751-4ec0-441c-a399-4c56a38ea9d3\"},\"panelIndex\":\"d3b35751-4ec0-441c-a399-4c56a38ea9d3\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[{\"eventId\":\"99f3c946-0494-42aa-a14f-cac5dce6757d\",\"triggers\":[\"FILTER_TRIGGER\"],\"action\":{\"factoryId\":\"DASHBOARD_TO_DASHBOARD_DRILLDOWN\",\"name\":\"View in Process Dashboard\",\"config\":{\"useCurrentFilters\":true,\"useCurrentDateRange\":true}}}]}}},\"title\":\"Endgame - Processes\",\"panelRefName\":\"panel_d3b35751-4ec0-441c-a399-4c56a38ea9d3\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":84,\"w\":24,\"h\":15,\"i\":\"77406005-0714-4d8f-a535-79c693437dfe\"},\"panelIndex\":\"77406005-0714-4d8f-a535-79c693437dfe\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Auth Event Outcome\",\"panelRefName\":\"panel_77406005-0714-4d8f-a535-79c693437dfe\"},{\"version\":\"7.16.0\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":84,\"w\":24,\"h\":15,\"i\":\"79b433c6-e740-40be-8b5e-02155ee11955\"},\"panelIndex\":\"79b433c6-e740-40be-8b5e-02155ee11955\",\"embeddableConfig\":{\"attributes\":{\"title\":\"\",\"visualizationType\":\"lnsDatatable\",\"type\":\"lens\",\"references\":[{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"name\":\"panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2\",\"type\":\"lens\",\"id\":\"676296e0-6d6d-11ec-864c-8b5450f97635\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-current-indexpattern\"},{\"type\":\"index-pattern\",\"id\":\"endgame-*\",\"name\":\"indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b\"},{\"name\":\"filter-index-pattern-0\",\"type\":\"index-pattern\",\"id\":\"endgame-*\"}],\"state\":{\"visualization\":{\"layerId\":\"e5f77e35-1bc5-4487-9602-e2962cafa87b\",\"layerType\":\"data\",\"columns\":[{\"isTransposed\":false,\"columnId\":\"ade5af28-bac8-4a2d-adff-28580282a9d2\"},{\"isTransposed\":false,\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},{\"columnId\":\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"isTransposed\":false}]},\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filters\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"file\"},\"indexRefName\":\"filter-index-pattern-0\"},\"query\":{\"match_phrase\":{\"event.category\":\"file\"}},\"$state\":{\"store\":\"appState\"}}],\"datasourceStates\":{\"indexpattern\":{\"layers\":{\"e5f77e35-1bc5-4487-9602-e2962cafa87b\":{\"columns\":{\"ade5af28-bac8-4a2d-adff-28580282a9d2\":{\"label\":\"Top values of file.name\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.name\",\"isBucketed\":true,\"params\":{\"size\":100,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}},\"e480935c-b388-48c6-9582-fb4600b462fb\":{\"label\":\"Count of records\",\"dataType\":\"number\",\"operationType\":\"count\",\"isBucketed\":false,\"scale\":\"ratio\",\"sourceField\":\"Records\"},\"bb5f0057-5e74-4baf-9839-aff53de6d145\":{\"label\":\"Top values of file.path\",\"dataType\":\"string\",\"operationType\":\"terms\",\"scale\":\"ordinal\",\"sourceField\":\"file.path\",\"isBucketed\":true,\"params\":{\"size\":3,\"orderBy\":{\"type\":\"column\",\"columnId\":\"e480935c-b388-48c6-9582-fb4600b462fb\"},\"orderDirection\":\"desc\",\"otherBucket\":true,\"missingBucket\":true}}},\"columnOrder\":[\"ade5af28-bac8-4a2d-adff-28580282a9d2\",\"bb5f0057-5e74-4baf-9839-aff53de6d145\",\"e480935c-b388-48c6-9582-fb4600b462fb\"],\"incompleteColumns\":{}}}}}}},\"enhancements\":{},\"hidePanelTitles\":false,\"type\":\"lens\"},\"title\":\"Endgame - File Name\",\"panelRefName\":\"panel_79b433c6-e740-40be-8b5e-02155ee11955\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":99,\"w\":48,\"h\":15,\"i\":\"812191d7-0fc5-4dba-8cb6-600b9e3ee15c\"},\"panelIndex\":\"812191d7-0fc5-4dba-8cb6-600b9e3ee15c\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Registry Events\",\"panelRefName\":\"panel_812191d7-0fc5-4dba-8cb6-600b9e3ee15c\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":114,\"w\":48,\"h\":19,\"i\":\"b4898ca9-c99e-4ea2-a269-4e60616f2a4f\"},\"panelIndex\":\"b4898ca9-c99e-4ea2-a269-4e60616f2a4f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_b4898ca9-c99e-4ea2-a269-4e60616f2a4f\"}]", "timeRestore": false, "title": "Endgame - Admin", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "6063a9e0-61b2-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "64356467-dfe4-4eed-b53d-0cdf0b94f6d0:panel_64356467-dfe4-4eed-b53d-0cdf0b94f6d0", "type": "visualization"}, {"id": "e2da1340-53a3-11ec-b3ef-6bcc33056a36", "name": "cc23bd7c-9000-4af9-875e-5779794011d0:panel_cc23bd7c-9000-4af9-875e-5779794011d0", "type": "visualization"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "df2ef610-6a1f-11ec-864c-8b5450f97635", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:panel_276394f1-fa5b-42b2-ab7c-8db18bd367a3", "type": "lens"}, {"id": "endgame-*", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "276394f1-fa5b-42b2-ab7c-8db18bd367a3:indexpattern-datasource-layer-97b747de-fee3-4557-84f6-3d6aecd1f5c7", "type": "index-pattern"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "d07fce50-6a1f-11ec-864c-8b5450f97635", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:panel_2c8d6219-3e37-47c9-bfb2-9330167ad7b8", "type": "lens"}, {"id": "endgame-*", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:indexpattern-datasource-layer-fac6e4a9-2d36-463c-b2b0-b451546f6f20", "type": "index-pattern"}, {"id": "endgame-*", "name": "2c8d6219-3e37-47c9-bfb2-9330167ad7b8:filter-index-pattern-0", "type": "index-pattern"}, {"id": "82185ff0-696d-11ec-864c-8b5450f97635", "name": "f702b2f2-5fc3-4a29-90a6-0d0d223fd358:panel_f702b2f2-5fc3-4a29-90a6-0d0d223fd358", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "03935e10-6a20-11ec-864c-8b5450f97635", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:panel_93800440-ed84-48b6-8055-c58a5d290ec6", "type": "lens"}, {"id": "endgame-*", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "93800440-ed84-48b6-8055-c58a5d290ec6:indexpattern-datasource-layer-1828f449-a2e9-4ed2-a72c-e6f22382569e", "type": "index-pattern"}, {"id": "3ae34620-6258-11ec-864c-8b5450f97635", "name": "f389ba6c-bcad-4564-aca0-e696e2981239:panel_f389ba6c-bcad-4564-aca0-e696e2981239", "type": "visualization"}, {"id": "de389910-6f0a-11ec-864c-8b5450f97635", "name": "1ae20b57-e5db-4e2b-b45b-51132e0892d2:panel_1ae20b57-e5db-4e2b-b45b-51132e0892d2", "type": "visualization"}, {"id": "f30bef10-6328-11ec-864c-8b5450f97635", "name": "64991e9b-5624-4d8d-9624-3077e970068f:panel_64991e9b-5624-4d8d-9624-3077e970068f", "type": "lens"}, {"id": "49d34770-53b2-11ec-b3ef-6bcc33056a36", "name": "64991e9b-5624-4d8d-9624-3077e970068f:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:842ed2f7-3fb1-4c0d-a62c-dd9d06de42da:dashboardId", "type": "dashboard"}, {"id": "e2cff350-6ccc-11ec-864c-8b5450f97635", "name": "d3b35751-4ec0-441c-a399-4c56a38ea9d3:panel_d3b35751-4ec0-441c-a399-4c56a38ea9d3", "type": "lens"}, {"id": "790991a0-6287-11ec-864c-8b5450f97635", "name": "d3b35751-4ec0-441c-a399-4c56a38ea9d3:drilldown:DASHBOARD_TO_DASHBOARD_DRILLDOWN:99f3c946-0494-42aa-a14f-cac5dce6757d:dashboardId", "type": "dashboard"}, {"id": "072ae530-6d6c-11ec-864c-8b5450f97635", "name": "77406005-0714-4d8f-a535-79c693437dfe:panel_77406005-0714-4d8f-a535-79c693437dfe", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_79b433c6-e740-40be-8b5e-02155ee11955", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "676296e0-6d6d-11ec-864c-8b5450f97635", "name": "79b433c6-e740-40be-8b5e-02155ee11955:panel_cd2e58e6-ecaf-46ff-89ae-3f6c104137b2", "type": "lens"}, {"id": "endgame-*", "name": "79b433c6-e740-40be-8b5e-02155ee11955:indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "79b433c6-e740-40be-8b5e-02155ee11955:indexpattern-datasource-layer-e5f77e35-1bc5-4487-9602-e2962cafa87b", "type": "index-pattern"}, {"id": "endgame-*", "name": "79b433c6-e740-40be-8b5e-02155ee11955:filter-index-pattern-0", "type": "index-pattern"}, {"id": "e1e12ab0-6cc5-11ec-864c-8b5450f97635", "name": "812191d7-0fc5-4dba-8cb6-600b9e3ee15c:panel_812191d7-0fc5-4dba-8cb6-600b9e3ee15c", "type": "lens"}, {"id": "20c85b70-53aa-11ec-b3ef-6bcc33056a36", "name": "b4898ca9-c99e-4ea2-a269-4e60616f2a4f:panel_b4898ca9-c99e-4ea2-a269-4e60616f2a4f", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1578], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Data Types", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Data Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Data Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "60925490-34bf-11e7-9b32-bb903919ead9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1580], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SSL - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6139edd0-3641-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1582], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Autoruns - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bf5ab2d0-6d6b-11e7-ad64-15aa071374a6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1584], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Hostname (Tag Cloud)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Autoruns - Hostname (Tag Cloud)\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":10,\"maxFontSize\":30,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c5d58f60-6d78-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1586], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Hostname", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Hostname\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "df5e9e80-6d79-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1588], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Launch String", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Launch String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"launch_string.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Launch String\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"image_path.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Image\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "cfd94590-6d7a-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1590], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Company", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Autoruns - Company\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"linear\",\"orientation\":\"single\",\"minFontSize\":14,\"maxFontSize\":36,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"company.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "96105ff0-6d7b-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1592], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Signer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Signer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"signer.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Signer\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6cf187b0-6d7c-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1594], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Autoruns - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Autoruns - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHG1IaxQT5EBNmq4yR", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1596], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTQ5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":16,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":20,\"y\":48,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":0,\"y\":48,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":32,\"x\":0,\"y\":120,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"columns\":[\"entry\",\"entry_location\",\"image_path\",\"hostname\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "z16.04 - Autoruns", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "61d43810-6d62-11e7-8ddb-e71eb260f4a3", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "bf5ab2d0-6d6b-11e7-ad64-15aa071374a6", "name": "panel_1", "type": "visualization"}, {"id": "482be9b0-6d78-11e7-b09b-f57b22df6524", "name": "panel_2", "type": "visualization"}, {"id": "c5d58f60-6d78-11e7-b09b-f57b22df6524", "name": "panel_3", "type": "visualization"}, {"id": "1cd6a970-6d79-11e7-b09b-f57b22df6524", "name": "panel_4", "type": "visualization"}, {"id": "df5e9e80-6d79-11e7-b09b-f57b22df6524", "name": "panel_5", "type": "visualization"}, {"id": "2ef9ccd0-6d7a-11e7-b09b-f57b22df6524", "name": "panel_6", "type": "visualization"}, {"id": "cfd94590-6d7a-11e7-b09b-f57b22df6524", "name": "panel_7", "type": "visualization"}, {"id": "96105ff0-6d7b-11e7-b09b-f57b22df6524", "name": "panel_8", "type": "visualization"}, {"id": "6cf187b0-6d7c-11e7-b09b-f57b22df6524", "name": "panel_9", "type": "visualization"}, {"id": "dd700830-6d69-11e7-ad64-15aa071374a6", "name": "panel_10", "type": "search"}, {"id": "AWDHG1IaxQT5EBNmq4yR", "name": "panel_11", "type": "visualization"}], "sort": [1643385898421, 1609], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category.keyword : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Event.Cat:Registry Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - Event.Cat:Registry Log Count Over Time\",\"type\":\"line\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"used_interval\":\"30m\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"}],\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{},\"style\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"},\"style\":{}}],\"seriesParams\":[{\"show\":true,\"type\":\"area\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":3}],\"addTooltip\":true,\"detailedTooltip\":true,\"palette\":{\"type\":\"palette\",\"name\":\"default\"},\"addLegend\":true,\"legendPosition\":\"right\",\"fittingFunction\":\"linear\",\"times\":[],\"addTimeMarker\":false,\"truncateLegend\":true,\"maxLegendLines\":1,\"labels\":{},\"radiusRatio\":9,\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}"}, "coreMigrationVersion": "7.16.2", "id": "61f72150-6406-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1612], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTUxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS Alerts - Source Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS Alerts - Source Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "620283e0-3af5-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1614], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Modbus - Function", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Modbus - Function\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.function.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"modbus.function.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Function\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "62449800-75be-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1616], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - MySQL - Success", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "62969db0-75c0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1618], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Top Destination IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Top Destination IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Destination IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "62ac4060-6ea0-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1620], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"e316de92-6d8b-4ef1-8197-18b0b339413f": {"columnOrder": ["7e8c9bea-75f8-4666-be0e-a3c8e96f7739"], "columns": {"7e8c9bea-75f8-4666-be0e-a3c8e96f7739": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"accessor": "7e8c9bea-75f8-4666-be0e-a3c8e96f7739", "layerId": "e316de92-6d8b-4ef1-8197-18b0b339413f", "layerType": "data"}}, "title": "Endgame - Auth Count", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "63569670-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-e316de92-6d8b-4ef1-8197-18b0b339413f", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1625], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Desktop Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"desktop_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Desktop Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "63c072c0-371f-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1627], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Drilldown - Rule Signature", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Drilldown - Rule Signature\",\"type\":\"table\",\"params\":{\"perPage\":1,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"top_hits\",\"schema\":\"metric\",\"params\":{\"field\":\"rule_signature.keyword\",\"aggregate\":\"concat\",\"size\":1,\"sortField\":\"@timestamp\",\"sortOrder\":\"desc\",\"customLabel\":\"NIDS Signature\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6533dd40-e064-11e9-8f0c-2ddbf5ed9290", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1629], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Syslog - Facility", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Syslog - Facility\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.facility_label: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.facility_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e017cb80-777b-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1631], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Syslog - Severity", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog.severity_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Syslog - Severity\"}"}, "coreMigrationVersion": "7.16.2", "id": "9e1a4240-c77a-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1633], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTYwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:syslog\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\"},\"panelIndex\":\"9c4d23d9-2dd5-4a9f-aa67-edc6b73f3086\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\"},\"panelIndex\":\"a3e3afae-dd54-4024-9d09-608a6baecd42\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\"},\"panelIndex\":\"e7dbc7be-d1ef-499a-bbb6-2963bfdaabfb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\"},\"panelIndex\":\"e1ea8adf-acd8-4577-9c81-1acb711d20ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":18,\"i\":\"16f2046a-4417-4e78-9699-65d253db78cb\"},\"panelIndex\":\"16f2046a-4417-4e78-9699-65d253db78cb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":11,\"h\":18,\"i\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\"},\"panelIndex\":\"226810af-b55b-4fba-99c8-0c28ca99aa37\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":27,\"y\":8,\"w\":9,\"h\":18,\"i\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\"},\"panelIndex\":\"9cc5fffe-3834-4550-84e3-33d1246f68f6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":18,\"i\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\"},\"panelIndex\":\"cdad19b0-4f35-4143-8677-0a64a64dbca6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":29,\"i\":\"b06c2c59-18a2-4e4c-bfc8-b4d496a89d30\"},\"panelIndex\":\"b06c2c59-18a2-4e4c-bfc8-b4d496a89d30\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - Syslog", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "66499a20-75ed-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "e017cb80-777b-11ea-bee5-af7f7c7b8e05", "name": "panel_6", "type": "visualization"}, {"id": "9e1a4240-c77a-11ea-bebb-37c5ab5894ea", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 1643], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTYxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"842f61f9-afc4-44dc-a6bd-e3cc66a8827b": {"columnOrder": ["2834ba67-2809-442b-b80b-4b17d3a67d43"], "columns": {"2834ba67-2809-442b-b80b-4b17d3a67d43": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": " ", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"accessor": "2834ba67-2809-442b-b80b-4b17d3a67d43", "layerId": "842f61f9-afc4-44dc-a6bd-e3cc66a8827b", "layerType": "data"}}, "title": "Endgame - Alerts", "visualizationType": "lnsMetric"}, "coreMigrationVersion": "7.16.2", "id": "668e9130-6cc1-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-842f61f9-afc4-44dc-a6bd-e3cc66a8827b", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1647], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Query/Answer", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Query/Answer\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e8e3b8a0-34c1-11e7-917c-af7a9d11771a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1649], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alerts", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Alerts\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c7eed4c0-3649-11e7-bf60-314364dd1cde", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1651], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6ef90c30-34c0-11e7-9b32-bb903919ead9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1653], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Sensors - Sensor and Services (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Sensors - Sensor and Services (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"sensor_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"service.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9c979ea0-345b-11e7-8867-29a39c0f86b2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1655], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Top 50 - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Top 50 - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "73806f30-4948-11e8-9576-313be7c6b44b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1657], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Top 50 - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Top 50 - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c0de57b0-4948-11e8-9576-313be7c6b44b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1659], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":144,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":144,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":180,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":180,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":120,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"columns\":[\"hostname\",\"alert_level\",\"description\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":204,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":12,\"x\":0,\"y\":168,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":144,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_15\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":0,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_16\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":72,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_17\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":72,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_18\"}]", "timeRestore": false, "title": "z16.04 - Indicator", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "68563ed0-34bf-11e7-9b32-bb903919ead9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "60925490-34bf-11e7-9b32-bb903919ead9", "name": "panel_1", "type": "visualization"}, {"id": "e8e3b8a0-34c1-11e7-917c-af7a9d11771a", "name": "panel_2", "type": "visualization"}, {"id": "ae1f1fb0-3648-11e7-bf60-314364dd1cde", "name": "panel_3", "type": "visualization"}, {"id": "d0f56da0-3648-11e7-bf60-314364dd1cde", "name": "panel_4", "type": "visualization"}, {"id": "8ba31820-34c6-11e7-8360-0b86c90983fd", "name": "panel_5", "type": "visualization"}, {"id": "7153e7f0-34c7-11e7-8360-0b86c90983fd", "name": "panel_6", "type": "visualization"}, {"id": "c7eed4c0-3649-11e7-bf60-314364dd1cde", "name": "panel_7", "type": "visualization"}, {"id": "45a652b0-34c1-11e7-917c-af7a9d11771a", "name": "panel_8", "type": "visualization"}, {"id": "d9096bb0-342f-11e7-9e93-53b62e1857b2", "name": "panel_9", "type": "search"}, {"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "panel_10", "type": "search"}, {"id": "934fe550-6e08-11e7-9370-174c4785d3e1", "name": "panel_11", "type": "visualization"}, {"id": "3f4abb40-6e0a-11e7-84cc-b363f104b3c7", "name": "panel_12", "type": "visualization"}, {"id": "53ac63e0-365b-11e7-8bd0-1db2c55fb7a1", "name": "panel_13", "type": "visualization"}, {"id": "6ef90c30-34c0-11e7-9b32-bb903919ead9", "name": "panel_14", "type": "visualization"}, {"id": "07fdf9e0-39ad-11e7-8472-0151e5b2b475", "name": "panel_15", "type": "visualization"}, {"id": "9c979ea0-345b-11e7-8867-29a39c0f86b2", "name": "panel_16", "type": "visualization"}, {"id": "73806f30-4948-11e8-9576-313be7c6b44b", "name": "panel_17", "type": "visualization"}, {"id": "c0de57b0-4948-11e8-9576-313be7c6b44b", "name": "panel_18", "type": "visualization"}], "sort": [1643385898421, 1679], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network Data - Count", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Network Data - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"}, "coreMigrationVersion": "7.16.2", "id": "689991b0-6ea7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1681], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTcwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[25.16517336866393,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Source - Originator Bytes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "68f738e0-46ca-11e7-946f-1bfb1be7c36b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "05809df0-46cb-11e7-946f-1bfb1be7c36b", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 1684], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SNMP - Version", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - SNMP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"snmp.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Version\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "690ef880-75e9-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1686], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Weird - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Weird - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "691ade50-4c85-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1688], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Kerberos - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c97cd4c0-35ba-11e7-b9ee-834112670159", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1690], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "710ccbf0-35bb-11e7-b9ee-834112670159", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1692], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Success Status (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Kerberos - Success Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"kerberos_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b31231c0-35bb-11e7-b9ee-834112670159", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1694], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f0178840-35bb-11e7-b9ee-834112670159", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1696], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Cipher (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Kerberos - Cipher (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"cipher.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e3fffae0-3635-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1698], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "84f28670-3636-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1700], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Service", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Service\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f7c48a20-6e19-11e7-89e4-613b96f597e1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1702], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Renewable", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Renewable\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"renewable.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Renewable\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bb748470-6e1a-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1704], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Kerberos - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Kerberos - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG_UbkxQT5EBNmq4Lg", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1706], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTgyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"request_type\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":48,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":48,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":96,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":96,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":96,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":72,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]", "timeRestore": false, "title": "z16.04 - Bro - Kerberos", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "6b0d4870-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "c97cd4c0-35ba-11e7-b9ee-834112670159", "name": "panel_1", "type": "visualization"}, {"id": "452daa10-342e-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "710ccbf0-35bb-11e7-b9ee-834112670159", "name": "panel_3", "type": "visualization"}, {"id": "b31231c0-35bb-11e7-b9ee-834112670159", "name": "panel_4", "type": "visualization"}, {"id": "f0178840-35bb-11e7-b9ee-834112670159", "name": "panel_5", "type": "visualization"}, {"id": "e3fffae0-3635-11e7-a6f7-4f44d7bf1c33", "name": "panel_6", "type": "visualization"}, {"id": "28d04080-3636-11e7-a6f7-4f44d7bf1c33", "name": "panel_7", "type": "visualization"}, {"id": "3f34faa0-3636-11e7-a6f7-4f44d7bf1c33", "name": "panel_8", "type": "visualization"}, {"id": "84f28670-3636-11e7-a6f7-4f44d7bf1c33", "name": "panel_9", "type": "visualization"}, {"id": "f7c48a20-6e19-11e7-89e4-613b96f597e1", "name": "panel_10", "type": "visualization"}, {"id": "4aa0b2a0-6e1a-11e7-89e4-613b96f597e1", "name": "panel_11", "type": "visualization"}, {"id": "bb748470-6e1a-11e7-b553-7f80727663c1", "name": "panel_12", "type": "visualization"}, {"id": "AWDG_UbkxQT5EBNmq4Lg", "name": "panel_13", "type": "visualization"}], "sort": [1643385898421, 1721], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Intel - Indicator Type (Pie)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Intel - Indicator Type (Pie)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":24,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "6b109430-0e60-11eb-a255-e1e8e85e3571", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1723], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"f792f3cd-4a3c-4788-a3f8-33542035b98e": {"columnOrder": ["4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1", "c7495830-1f48-4613-a2a1-e9213447910f", "3926249d-4707-4e24-a637-7a2b9d046856"], "columns": {"3926249d-4707-4e24-a637-7a2b9d046856": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3926249d-4707-4e24-a637-7a2b9d046856", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.user.name"}, "c7495830-1f48-4613-a2a1-e9213447910f": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3926249d-4707-4e24-a637-7a2b9d046856", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "user.name"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "4aaf35d6-7ed3-4d81-9a7d-85bbc43459c1", "isTransposed": false}, {"columnId": "c7495830-1f48-4613-a2a1-e9213447910f", "isTransposed": false}, {"columnId": "3926249d-4707-4e24-a637-7a2b9d046856", "isTransposed": false}], "layerId": "f792f3cd-4a3c-4788-a3f8-33542035b98e", "layerType": "data"}}, "title": "Endgame - Auth Username", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "6b3841e0-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-f792f3cd-4a3c-4788-a3f8-33542035b98e", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1728], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Destination Port", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Sysmon - Destination Port\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Port\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6b70b840-6d75-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1730], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"4a1ec78a-56cc-4227-919e-857b47d902dd": {"columnOrder": ["fb18d67e-9996-499c-95e1-0e67c91567c8", "c8eeb0da-7ef2-40fa-b837-808e4e34c536", "56f86bee-5b6e-42b4-92f3-563f7782aa71"], "columns": {"56f86bee-5b6e-42b4-92f3-563f7782aa71": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "c8eeb0da-7ef2-40fa-b837-808e4e34c536": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}, "fb18d67e-9996-499c-95e1-0e67c91567c8": {"dataType": "string", "isBucketed": true, "label": "Top values of event.outcome", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "56f86bee-5b6e-42b4-92f3-563f7782aa71", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "event.outcome"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["56f86bee-5b6e-42b4-92f3-563f7782aa71"], "layerId": "4a1ec78a-56cc-4227-919e-857b47d902dd", "layerType": "data", "position": "top", "seriesType": "bar_stacked", "showGridlines": false, "splitAccessor": "fb18d67e-9996-499c-95e1-0e67c91567c8", "xAccessor": "c8eeb0da-7ef2-40fa-b837-808e4e34c536"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Auth Logs Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "6f648670-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-4a1ec78a-56cc-4227-919e-857b47d902dd", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1735], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg3LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3f16332f-15b4-4f4f-8cd0-3904d1082ad9": {"columnOrder": ["ac84ac59-9300-4b99-b002-b9c3bcb375d0", "d449a510-00fe-4b24-bd3d-5c9d4e5fc67b"], "columns": {"ac84ac59-9300-4b99-b002-b9c3bcb375d0": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "host.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "d449a510-00fe-4b24-bd3d-5c9d4e5fc67b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "host.name"}, "d449a510-00fe-4b24-bd3d-5c9d4e5fc67b": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count ", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "ac84ac59-9300-4b99-b002-b9c3bcb375d0"}, {"columnId": "d449a510-00fe-4b24-bd3d-5c9d4e5fc67b"}], "layerId": "3f16332f-15b4-4f4f-8cd0-3904d1082ad9", "layerType": "data"}}, "title": "Endgame - Auth Hostname", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "b6bd72c0-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3f16332f-15b4-4f4f-8cd0-3904d1082ad9", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1740], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg4LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"67aa62dc-542c-4302-b7ca-3f58dcae48bc": {"columnOrder": ["c6c215da-4e22-4969-b00a-fb6a0a85eac3", "5f851d2a-ab05-4075-9aa3-8d73eb2d0d08"], "columns": {"5f851d2a-ab05-4075-9aa3-8d73eb2d0d08": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "c6c215da-4e22-4969-b00a-fb6a0a85eac3": {"dataType": "string", "isBucketed": true, "label": "Top values of event.action", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "5f851d2a-ab05-4075-9aa3-8d73eb2d0d08", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.action"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["c6c215da-4e22-4969-b00a-fb6a0a85eac3"], "layerId": "67aa62dc-542c-4302-b7ca-3f58dcae48bc", "layerType": "data", "legendDisplay": "default", "metric": "5f851d2a-ab05-4075-9aa3-8d73eb2d0d08", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - Auth Event Action (Donut)", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "d3e6cf90-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-67aa62dc-542c-4302-b7ca-3f58dcae48bc", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1745], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTg5LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"d00a9d6e-a40e-4051-9999-946bca8cc10a": {"columnOrder": ["2ff29508-b249-4b8b-8472-7b287d1a458d", "4fbce0f5-b26d-4996-a04a-8f28c03e85e1"], "columns": {"2ff29508-b249-4b8b-8472-7b287d1a458d": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.action", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "4fbce0f5-b26d-4996-a04a-8f28c03e85e1", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.action"}, "4fbce0f5-b26d-4996-a04a-8f28c03e85e1": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "authentication"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "authentication"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "2ff29508-b249-4b8b-8472-7b287d1a458d"}, {"columnId": "4fbce0f5-b26d-4996-a04a-8f28c03e85e1"}], "layerId": "d00a9d6e-a40e-4051-9999-946bca8cc10a", "layerType": "data"}}, "title": "Endgame - Auth Event Action", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "c9b17020-6d6b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-d00a9d6e-a40e-4051-9999-946bca8cc10a", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1750], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTkwLDE1XQ=="} +{"attributes": {"columns": ["host.hostname", "user.name", "host.ip"], "description": "", "grid": {}, "hideChart": false, "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"meta\":{\"alias\":null,\"negate\":false,\"disabled\":false,\"type\":\"phrase\",\"key\":\"event.category\",\"params\":{\"query\":\"authentication\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.category\":\"authentication\"}},\"$state\":{\"store\":\"appState\"}}],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Endgame - Authentication Search", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "7a1fc780-6f07-11ec-864c-8b5450f97635", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}], "sort": [1643385898421, 1753], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTkxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":10,\"h\":10,\"i\":\"16f743b7-687e-43ce-86a5-3ad5c607c1fe\"},\"panelIndex\":\"16f743b7-687e-43ce-86a5-3ad5c607c1fe\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_16f743b7-687e-43ce-86a5-3ad5c607c1fe\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":10,\"y\":0,\"w\":14,\"h\":10,\"i\":\"b9a19eb1-8a99-4ba7-89e5-7176371c1365\"},\"panelIndex\":\"b9a19eb1-8a99-4ba7-89e5-7176371c1365\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Count\",\"panelRefName\":\"panel_b9a19eb1-8a99-4ba7-89e5-7176371c1365\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":10,\"i\":\"f16a41be-56eb-4852-b44c-7303c89b3332\"},\"panelIndex\":\"f16a41be-56eb-4852-b44c-7303c89b3332\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Username\",\"panelRefName\":\"panel_f16a41be-56eb-4852-b44c-7303c89b3332\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":10,\"w\":24,\"h\":15,\"i\":\"dc68201b-bd8a-4fe9-9009-68fe91013c9f\"},\"panelIndex\":\"dc68201b-bd8a-4fe9-9009-68fe91013c9f\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Logs Over Time\",\"panelRefName\":\"panel_dc68201b-bd8a-4fe9-9009-68fe91013c9f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":10,\"w\":24,\"h\":10,\"i\":\"c394186d-2848-42bf-a521-7ba497a3b3b6\"},\"panelIndex\":\"c394186d-2848-42bf-a521-7ba497a3b3b6\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Hostname\",\"panelRefName\":\"panel_c394186d-2848-42bf-a521-7ba497a3b3b6\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":24,\"y\":20,\"w\":24,\"h\":15,\"i\":\"c08e4616-5f26-4b6a-aa37-9c6a5e27d739\"},\"panelIndex\":\"c08e4616-5f26-4b6a-aa37-9c6a5e27d739\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{\"dynamicActions\":{\"events\":[]}}},\"title\":\"Endgame - Auth Event Action (Donut)\",\"panelRefName\":\"panel_c08e4616-5f26-4b6a-aa37-9c6a5e27d739\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":25,\"w\":24,\"h\":10,\"i\":\"d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\"},\"panelIndex\":\"d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Auth Event Action\",\"panelRefName\":\"panel_d7b3a140-a1a5-48d4-82a5-a84dc3a0285a\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":35,\"w\":48,\"h\":15,\"i\":\"aa35ad44-a937-4fa6-9444-7bcb1922a167\"},\"panelIndex\":\"aa35ad44-a937-4fa6-9444-7bcb1922a167\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Auth Event Outcome\",\"panelRefName\":\"panel_aa35ad44-a937-4fa6-9444-7bcb1922a167\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":50,\"w\":48,\"h\":18,\"i\":\"ffffbd7a-71f4-4977-bdf2-cad011e281c4\"},\"panelIndex\":\"ffffbd7a-71f4-4977-bdf2-cad011e281c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ffffbd7a-71f4-4977-bdf2-cad011e281c4\"}]", "timeRestore": false, "title": "Endgame - Authentication", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "6c5aaff0-63f6-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "16f743b7-687e-43ce-86a5-3ad5c607c1fe:panel_16f743b7-687e-43ce-86a5-3ad5c607c1fe", "type": "visualization"}, {"id": "63569670-6d6b-11ec-864c-8b5450f97635", "name": "b9a19eb1-8a99-4ba7-89e5-7176371c1365:panel_b9a19eb1-8a99-4ba7-89e5-7176371c1365", "type": "lens"}, {"id": "6b3841e0-6d6b-11ec-864c-8b5450f97635", "name": "f16a41be-56eb-4852-b44c-7303c89b3332:panel_f16a41be-56eb-4852-b44c-7303c89b3332", "type": "lens"}, {"id": "6f648670-6d6b-11ec-864c-8b5450f97635", "name": "dc68201b-bd8a-4fe9-9009-68fe91013c9f:panel_dc68201b-bd8a-4fe9-9009-68fe91013c9f", "type": "lens"}, {"id": "b6bd72c0-6d6b-11ec-864c-8b5450f97635", "name": "c394186d-2848-42bf-a521-7ba497a3b3b6:panel_c394186d-2848-42bf-a521-7ba497a3b3b6", "type": "lens"}, {"id": "d3e6cf90-6d6b-11ec-864c-8b5450f97635", "name": "c08e4616-5f26-4b6a-aa37-9c6a5e27d739:panel_c08e4616-5f26-4b6a-aa37-9c6a5e27d739", "type": "lens"}, {"id": "c9b17020-6d6b-11ec-864c-8b5450f97635", "name": "d7b3a140-a1a5-48d4-82a5-a84dc3a0285a:panel_d7b3a140-a1a5-48d4-82a5-a84dc3a0285a", "type": "lens"}, {"id": "072ae530-6d6c-11ec-864c-8b5450f97635", "name": "aa35ad44-a937-4fa6-9444-7bcb1922a167:panel_aa35ad44-a937-4fa6-9444-7bcb1922a167", "type": "lens"}, {"id": "7a1fc780-6f07-11ec-864c-8b5450f97635", "name": "ffffbd7a-71f4-4977-bdf2-cad011e281c4:panel_ffffbd7a-71f4-4977-bdf2-cad011e281c4", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1764], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "6c60a280-76b5-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1766], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Sysmon - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8cfdeff0-6d6b-11e7-ad64-15aa071374a6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1768], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_hostname.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Hostname\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7bc74b40-6d71-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1770], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Event ID (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Sysmon - Event ID (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"event_id\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Event Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e09f6010-6d72-11e7-b09b-f57b22df6524", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1772], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Sysmon - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Sysmon - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHHk1sxQT5EBNmq43Y", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1774], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "z16.04 - Sysmon - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "6d189680-6d62-11e7-8ddb-e71eb260f4a3", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "8cfdeff0-6d6b-11e7-ad64-15aa071374a6", "name": "panel_1", "type": "visualization"}, {"id": "0eb1fd80-6d70-11e7-b09b-f57b22df6524", "name": "panel_2", "type": "visualization"}, {"id": "3072c750-6d71-11e7-b09b-f57b22df6524", "name": "panel_3", "type": "visualization"}, {"id": "7bc74b40-6d71-11e7-b09b-f57b22df6524", "name": "panel_4", "type": "visualization"}, {"id": "13ed0810-6d72-11e7-b09b-f57b22df6524", "name": "panel_5", "type": "visualization"}, {"id": "3b6c92c0-6d72-11e7-b09b-f57b22df6524", "name": "panel_6", "type": "visualization"}, {"id": "e09f6010-6d72-11e7-b09b-f57b22df6524", "name": "panel_7", "type": "visualization"}, {"id": "29611940-6d75-11e7-b09b-f57b22df6524", "name": "panel_8", "type": "visualization"}, {"id": "6b70b840-6d75-11e7-b09b-f57b22df6524", "name": "panel_9", "type": "visualization"}, {"id": "248c1d20-6d6b-11e7-ad64-15aa071374a6", "name": "panel_10", "type": "search"}, {"id": "AWDHHk1sxQT5EBNmq43Y", "name": "panel_11", "type": "visualization"}], "sort": [1643385898421, 1787], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SMB - Action (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6f883480-3aad-11e7-8b17-0d8709b02c80", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1789], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MTk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSL - Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "6fccb600-75ec-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1791], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjAwLDE1XQ=="} +{"attributes": {"buildNum": 39457, "defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29", "defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645", "discover:sampleSize": 100, "securitySolution:defaultIndex": ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*", "*:so-*"], "theme:darkMode": true, "timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"}, "coreMigrationVersion": "7.16.2", "id": "7.16.2", "migrationVersion": {"config": "7.13.0"}, "references": [], "sort": [1643385898421, 1792], "type": "config", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Strelka - File - MIME Flavors", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "70243970-772c-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1794], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Modbus - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG_9KpxQT5EBNmq4Oo", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1796], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjAzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "z16.04 - Bro - Modbus", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "70c005f0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "0d168a30-363f-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "20eabd60-380b-11e7-a1cc-ebc6a7e70e84", "name": "panel_2", "type": "visualization"}, {"id": "3c65f500-380b-11e7-a1cc-ebc6a7e70e84", "name": "panel_3", "type": "visualization"}, {"id": "52dc9fe0-342e-11e7-9e93-53b62e1857b2", "name": "panel_4", "type": "search"}, {"id": "178209e0-6e1b-11e7-b553-7f80727663c1", "name": "panel_5", "type": "visualization"}, {"id": "AWDG_9KpxQT5EBNmq4Oo", "name": "panel_6", "type": "visualization"}, {"id": "453f8b90-4a58-11e8-9b0a-f1d33346f773", "name": "panel_7", "type": "visualization"}], "sort": [1643385898421, 1805], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Chrome Extensions - Change Stats", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"osquery - ChromeExt - Change Stats\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":70}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Changes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"osquery.hostIdentifier.keyword\",\"customLabel\":\"Endpoints\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "71538370-18d5-11e9-932c-d12d2cf4ee95", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "0eee4360-18d4-11e9-932c-d12d2cf4ee95", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1807], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Connections - Total Bytes Per Source/Destination IP Pair", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"_term\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"Source IP\",\"field\":\"source_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"2-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"3\",\"params\":{\"customLabel\":\"Destination IP\",\"field\":\"destination_ip\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderAgg\":{\"enabled\":true,\"id\":\"3-orderAgg\",\"params\":{\"field\":\"total_bytes\"},\"schema\":\"orderAgg\",\"type\":\"cardinality\"},\"orderBy\":\"custom\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Connections - Total Bytes Per Source/Destination IP Pair\",\"type\":\"table\"}"}, "coreMigrationVersion": "7.16.2", "id": "726cc040-48cf-11e8-9576-313be7c6b44b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1809], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - File Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMB - File Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"File Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "72f0f010-3aaf-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1811], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Log Type Per Sensor/Device", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Log Type Per Sensor/Device\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"syslog-host_from.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Sensor/Device\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "733ce440-494d-11e8-9576-313be7c6b44b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1813], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "X.509 - Certificate Signing Algorithm", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Signing Algorithm\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"certificate_signing_algorithm.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Algorithm\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "738127f0-37d7-11e7-9efb-91e89505091f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1815], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FTP - Command", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - FTP - Command\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ftp.command.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d3435690-755f-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1817], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FTP - User", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{},\"schema\":\"metric\",\"type\":\"count\"},{\"enabled\":true,\"id\":\"2\",\"params\":{\"customLabel\":\"User\",\"field\":\"ftp.user.keyword\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"size\":100},\"schema\":\"bucket\",\"type\":\"terms\"}],\"params\":{\"dimensions\":{\"buckets\":[{\"accessor\":0,\"aggType\":\"terms\",\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"missingBucketLabel\":\"Missing\",\"otherBucketLabel\":\"Other\",\"parsedUrl\":{\"basePath\":\"/kibana\",\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\"}}},\"label\":\"ftp.user.keyword: Descending\",\"params\":{}}],\"metrics\":[{\"accessor\":1,\"aggType\":\"count\",\"format\":{\"id\":\"number\"},\"label\":\"Count\",\"params\":{}}]},\"perPage\":10,\"percentageCol\":\"\",\"showMetricsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"title\":\"Security Onion - FTP - User\",\"type\":\"table\"}"}, "coreMigrationVersion": "7.16.2", "id": "8346bc70-7561-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1819], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjExLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FTP - Password", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - FTP - Password\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ftp.password.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ftp.password.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Password\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "bc3e2bd0-7561-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1821], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjEyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ftp\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":13,\"h\":19,\"i\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\"},\"panelIndex\":\"1bf79bc6-8595-41e0-8a7e-2b21bd2bd928\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":8,\"w\":17,\"h\":19,\"i\":\"e244437a-17a5-4e00-9176-f4e88ac54938\"},\"panelIndex\":\"e244437a-17a5-4e00-9176-f4e88ac54938\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":22,\"h\":16,\"i\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\"},\"panelIndex\":\"9196bb67-30ad-4a8e-b75f-22a9cced6f35\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":27,\"w\":26,\"h\":16,\"i\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\"},\"panelIndex\":\"9da1ff1b-aebe-45fb-9e48-420eafb1b655\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":28,\"i\":\"c57349cc-4699-4d52-b386-14e1d1260c87\"},\"panelIndex\":\"c57349cc-4699-4d52-b386-14e1d1260c87\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - FTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "739bfad0-755a-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "d3435690-755f-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "5fcdb0c0-755f-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8346bc70-7561-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "bc3e2bd0-7561-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 1832], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - \"From\" Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - \\\"From\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"mail_from.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"From\\\" Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "73b1b240-39a2-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1834], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user_agent.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"User Agent\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "73f663f0-3753-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1836], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND highest_registered_domain:securityonion.net~ -securityonion.net\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "DNS - Phishing Attempts Against Organizational Domain(s)", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 0\":\"rgb(0,104,55)\",\"1 - 999999\":\"rgb(165,0,38)\"}}}", "version": 1, "visState": "{\"title\":\"DNS - Phishing Attempts Against Organizational Domain(s)\",\"type\":\"gauge\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"gauge\":{\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":0},{\"from\":1,\"to\":999999}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"Edit this to reflect your domain(s)\",\"fontSize\":60,\"labelColor\":true},\"alignment\":\"horizontal\"}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Phishing attempts against your domain(s)\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "74861280-6f06-11e7-b253-211f64f37eda", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1838], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Cookie", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RDP - Cookie\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"cookie.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Cookie\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "75597b60-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1840], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Tunnels - Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"tunnel.type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "781447d0-75ef-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1842], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Intel - Indicator Type (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Intel - Indicator Type (Donut)\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":24,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator Type\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "78185810-0e61-11eb-a255-e1e8e85e3571", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1844], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjE5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "osquery - Chrome Extensions - Sensitive Permissions", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"osquery - Chrome Extensions - Sensitive Permissions\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Extension Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"osquery.columns.permissions.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Permissions\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "040dda10-18d8-11e9-932c-d12d2cf4ee95", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1846], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjIwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "MySQL - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"MySQL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHBRrrxQT5EBNmq4TI", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1848], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "MySQL - Response", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"MySQL - Response\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"response.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Response\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9c411ad0-4a58-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1850], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "MySQL - Success", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql_success.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c48925a0-4a58-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1852], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjIzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]", "timeRestore": false, "title": "z16.04 - Bro - MySQL", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "7929f430-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "5d9031a0-363f-11e7-a6f7-4f44d7bf1c33", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "07e25650-3812-11e7-a1cc-ebc6a7e70e84", "name": "panel_2", "type": "visualization"}, {"id": "5d624230-342e-11e7-9e93-53b62e1857b2", "name": "panel_3", "type": "search"}, {"id": "AWDHBRrrxQT5EBNmq4TI", "name": "panel_4", "type": "visualization"}, {"id": "9c411ad0-4a58-11e8-9b0a-f1d33346f773", "name": "panel_5", "type": "visualization"}, {"id": "c48925a0-4a58-11e8-9b0a-f1d33346f773", "name": "panel_6", "type": "visualization"}], "sort": [1643385898421, 1860], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - FIle - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - FIle - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "7a88adc0-75f0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1862], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Client Version", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Client Version\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_major_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"client_minor_version.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7c1e3f70-6e22-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1864], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SMTP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7c922990-3640-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1866], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_http AND _exists_:virtual_host_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "HTTP - Virtual Host Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"HTTP - Virtual Host Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"virtual_host_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"virtual_host.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Virtual Host\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7d1ede50-6f19-11e7-86c8-a1b6db3b051a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1868], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSH - Authentication Sucess", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - SSH - Authentication Sucess\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssh.authentication.success: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssh.authentication.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "7d61f430-75ea-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1870], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SNMP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7dc62970-6e2a-11e7-8b76-75eee0095daa", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1872], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjMwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "PE - Machine", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"PE - Machine\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"machine.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Machine\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7de76e10-6e1f-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1874], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjMxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:highest_registered_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "DNS - Highest Registered Domain Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Highest Registered Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"highest_registered_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7f1f00a0-6f04-11e7-b253-211f64f37eda", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1876], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjMyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alerts Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"NIDS - Alerts Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d58ec1a0-34e4-11e7-9669-7f1d3242b798", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1878], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS Alerts - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS Alerts - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a6df8820-399f-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1880], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS Alerts - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS Alerts - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "db04aef0-399f-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1882], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS Alerts - Severity (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"NIDS Alerts - Severity (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"priority.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Priority\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1884], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alerts By Country (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"NIDS - Alerts By Country (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":75},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "81de16f0-6e0f-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1886], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alert Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"NIDS - Alert Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG3ym0xQT5EBNmq3mG", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1888], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NIDS - Alert Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Alert Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"alert.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Alert\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "96c2cf10-4a3d-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1890], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjM5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "NIDS - Classification", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"NIDS - Classification\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"classification.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Classification\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d66d54c0-4c89-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1892], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":120,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":96,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":96,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":32,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":44,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":72,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - NIDS", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "7f27a830-34e5-11e7-9669-7f1d3242b798", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "d58ec1a0-34e4-11e7-9669-7f1d3242b798", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "a6df8820-399f-11e7-8472-0151e5b2b475", "name": "panel_3", "type": "visualization"}, {"id": "db04aef0-399f-11e7-8472-0151e5b2b475", "name": "panel_4", "type": "visualization"}, {"id": "620283e0-3af5-11e7-a83b-b1b4da7d15f4", "name": "panel_5", "type": "visualization"}, {"id": "ba60bcf0-3af5-11e7-a83b-b1b4da7d15f4", "name": "panel_6", "type": "visualization"}, {"id": "45464b50-3af6-11e7-a83b-b1b4da7d15f4", "name": "panel_7", "type": "visualization"}, {"id": "81de16f0-6e0f-11e7-8624-1fb07dd76c6a", "name": "panel_8", "type": "visualization"}, {"id": "AWDG3ym0xQT5EBNmq3mG", "name": "panel_9", "type": "visualization"}, {"id": "96c2cf10-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_10", "type": "visualization"}, {"id": "3f040620-4a44-11e8-9b0a-f1d33346f773", "name": "panel_11", "type": "visualization"}, {"id": "d66d54c0-4c89-11e8-9b0a-f1d33346f773", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 1906], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"7da5ad1e-8383-4383-9a2c-dfa2fc91eea5": {"columnOrder": ["0592df0d-869f-422f-ba64-848d9e3b5e66", "a451bb62-c37e-4924-9c6a-fea87810af73", "0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1"], "columns": {"0592df0d-869f-422f-ba64-848d9e3b5e66": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Logs Over Time By Top 10 Hosts", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "host.name"}, "0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "a451bb62-c37e-4924-9c6a-fea87810af73": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"accessors": ["0c7b1b6a-1659-4cf8-97b2-9f3e0a4e14e1"], "layerId": "7da5ad1e-8383-4383-9a2c-dfa2fc91eea5", "layerType": "data", "position": "top", "seriesType": "line", "showGridlines": false, "splitAccessor": "0592df0d-869f-422f-ba64-848d9e3b5e66", "xAccessor": "a451bb62-c37e-4924-9c6a-fea87810af73"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "line", "title": "Empty XY chart", "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Logs Over Time By Top 10 Hosts", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "7f34e6e0-624d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-7da5ad1e-8383-4383-9a2c-dfa2fc91eea5", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 1910], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Destination - Top Connection Duration (Tile Map)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Destination - Top Connection Duration (Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"duration\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "7f7492d0-46c4-11e7-a82e-d97152153689", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1912], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Host - MAC", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Host - MAC\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"host.mac.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MAC\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1914], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Requested Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DHCP - Requested Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.requested_address.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Requested Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9a693c50-7374-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1916], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Assigned Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DHCP - Assigned Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dhcp.assigned_ip.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Assigned Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1918], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dhcp\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"7e10f47b-2096-452d-9b40-be150226504f\"},\"panelIndex\":\"7e10f47b-2096-452d-9b40-be150226504f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":10,\"h\":9,\"i\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\"},\"panelIndex\":\"a795e5b9-2afd-43ef-91db-cd9c23a996f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":9,\"i\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\"},\"panelIndex\":\"d0f65b83-17cd-4a8c-950d-06e5e88bf80b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":20,\"i\":\"c5565d1e-719c-4401-b886-1ad84638b855\"},\"panelIndex\":\"c5565d1e-719c-4401-b886-1ad84638b855\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":20,\"i\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\"},\"panelIndex\":\"ada9481a-335b-4091-ac4e-5f94c96e4cea\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":20,\"i\":\"bcba795f-8008-4f91-887d-35b5aff11022\"},\"panelIndex\":\"bcba795f-8008-4f91-887d-35b5aff11022\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":9,\"w\":7,\"h\":20,\"i\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\"},\"panelIndex\":\"a9615bc2-7e50-4a88-be1c-53eb7096e093\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":9,\"w\":17,\"h\":20,\"i\":\"87dce718-7595-4bb0-b1be-b2f51518f026\"},\"panelIndex\":\"87dce718-7595-4bb0-b1be-b2f51518f026\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":29,\"w\":48,\"h\":29,\"i\":\"4f1bdb3c-15b5-4d72-bc4f-96a266423272\"},\"panelIndex\":\"4f1bdb3c-15b5-4d72-bc4f-96a266423272\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - DHCP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "80625c10-96dd-11ea-814e-bb515e873c2c", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "eaa31ba0-7374-11ea-a3da-cbdb4f8a90c0", "name": "panel_3", "type": "visualization"}, {"id": "9a693c50-7374-11ea-a3da-cbdb4f8a90c0", "name": "panel_4", "type": "visualization"}, {"id": "cc3aaf20-7374-11ea-a3da-cbdb4f8a90c0", "name": "panel_5", "type": "visualization"}, {"id": "2af5f980-96e2-11ea-814e-bb515e873c2c", "name": "panel_6", "type": "visualization"}, {"id": "36200e40-c76b-11ea-bebb-37c5ab5894ea", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 1928], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "PE - Subsystem (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"PE - Subsystem (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"subsystem.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "807da390-380c-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1930], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - PE - Subsytem", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.subsystem.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subsystem\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - Subsytem\"}"}, "coreMigrationVersion": "7.16.2", "id": "80a39cb0-c762-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1932], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - MySQL - Success", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"horizontal_bar\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"boolean\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"mysql.success: Descending\",\"aggType\":\"terms\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Success\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "80aa0c60-75c0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1934], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Rule - SID", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Rule - SID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Rule ID\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a47ffc70-96f0-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1936], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjUxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:alert AND event.module:suricata\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":8,\"i\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\"},\"panelIndex\":\"afb23064-13dc-4b97-b1be-cf672a6cfb56\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":8,\"i\":\"67961875-85aa-443b-9cac-130c8783cd8d\"},\"panelIndex\":\"67961875-85aa-443b-9cac-130c8783cd8d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\"},\"panelIndex\":\"44bf55fb-18d8-4ae6-a15a-902042d3623c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":20,\"i\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\"},\"panelIndex\":\"cedf23aa-c331-496a-bf27-7c9c8f587d80\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":19,\"y\":8,\"w\":9,\"h\":20,\"i\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\"},\"panelIndex\":\"a2e54d3b-ee05-4d67-82d2-4ac917d9ec4b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":20,\"i\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\"},\"panelIndex\":\"ab088b32-c40e-4a1c-9dcd-758c1ad97edc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":20,\"i\":\"2faea405-e4d3-488b-adfa-373b135d2122\"},\"panelIndex\":\"2faea405-e4d3-488b-adfa-373b135d2122\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":28,\"w\":19,\"h\":18,\"i\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\"},\"panelIndex\":\"728a4c22-9a7e-4152-a4d6-eed2d728abb8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":19,\"y\":28,\"w\":19,\"h\":18,\"i\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\"},\"panelIndex\":\"32459b34-f7be-4ac0-a672-7a9697ce3bca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":28,\"w\":10,\"h\":18,\"i\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\"},\"panelIndex\":\"0681c2c1-531d-4f5e-a73f-8382789cbd14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":46,\"w\":48,\"h\":20,\"i\":\"b7ad7fb7-60d2-4a1c-b71a-c438626507af\"},\"panelIndex\":\"b7ad7fb7-60d2-4a1c-b71a-c438626507af\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - Alerts - Suricata", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "81057f40-7733-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "508fb520-72af-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "a37b9fa0-72b0-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "visualization"}, {"id": "f7e1d570-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "visualization"}, {"id": "a47ffc70-96f0-11ea-814e-bb515e873c2c", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 1948], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - Response From", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - Response From\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.response.from.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.response.from.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Response From\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "81a1a740-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1950], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8261cf00-366e-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1952], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SNMP - Community String", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SNMP - Community String\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"community.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Community String\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "83a91450-4c79-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1954], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network Data Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Network Data Over Time\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"interpolate\":\"linear\",\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":true,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"},\"dimensions\":{\"x\":{\"accessor\":0,\"format\":{\"id\":\"date\",\"params\":{\"pattern\":\"HH:mm\"}},\"params\":{\"date\":true,\"interval\":\"PT30M\",\"intervalESValue\":30,\"intervalESUnit\":\"m\",\"format\":\"HH:mm\",\"bounds\":{\"min\":\"2020-03-24T15:15:25.819Z\",\"max\":\"2020-03-25T15:15:25.819Z\"}},\"label\":\"@timestamp per 30 minutes\",\"aggType\":\"date_histogram\"},\"y\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-24h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8491c4b0-6eab-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1956], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DHCP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DHCP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e9a7fe80-357b-11e7-ac34-8965f6420c51", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1958], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DHCP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"DHCP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG80RwxQT5EBNmq38x", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1960], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DHCP - Message Types", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - Message Types\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"message_types.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Types\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a88e1020-0edb-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1962], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DHCP - Domain Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DHCP - Domain Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_name.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ce859b40-0edb-11e9-9846-59f545e7293f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1964], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjYwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":76,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":52,\"w\":13,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":52,\"w\":13,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":40,\"h\":25,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":76,\"w\":48,\"h\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":52,\"w\":14,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":33,\"w\":26,\"h\":19,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":33,\"w\":14,\"h\":19,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - DHCP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "85348270-357b-11e7-ac34-8965f6420c51", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "e9a7fe80-357b-11e7-ac34-8965f6420c51", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "1055ada0-3655-11e7-baa7-b7de4ee40605", "name": "panel_2", "type": "visualization"}, {"id": "317f8410-3655-11e7-baa7-b7de4ee40605", "name": "panel_3", "type": "visualization"}, {"id": "AWDG80RwxQT5EBNmq38x", "name": "panel_4", "type": "visualization"}, {"id": "4e877100-4a48-11e8-9b0a-f1d33346f773", "name": "panel_5", "type": "visualization"}, {"id": "ac1799d0-342d-11e7-9e93-53b62e1857b2", "name": "panel_6", "type": "search"}, {"id": "58c84f60-0edb-11e9-9846-59f545e7293f", "name": "panel_7", "type": "visualization"}, {"id": "a88e1020-0edb-11e9-9846-59f545e7293f", "name": "panel_8", "type": "visualization"}, {"id": "ce859b40-0edb-11e9-9846-59f545e7293f", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 1975], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjYxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Intel - Indicator", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Intel - Indicator\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.indicator.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Indicator\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true,\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "db8c57c0-0e5c-11eb-a255-e1e8e85e3571", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1977], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:intel\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Intel - Source", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Intel - Source\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.sources.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "b4222d00-0e60-11eb-a255-e1e8e85e3571", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1979], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Intel - Seen Where", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Intel - Seen Where\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"intel.seen_where.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Seen Where\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "ec57d300-0e60-11eb-a255-e1e8e85e3571", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1981], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:intel\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"a9613b03-8b84-4149-9dfa-5b059c1e0e70\"},\"panelIndex\":\"a9613b03-8b84-4149-9dfa-5b059c1e0e70\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":14,\"y\":0,\"w\":10,\"h\":9,\"i\":\"77e957c4-13ac-480c-b799-0bd39559781b\"},\"panelIndex\":\"77e957c4-13ac-480c-b799-0bd39559781b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":9,\"i\":\"722a0294-a47b-4cd1-85c0-37f9933552c5\"},\"panelIndex\":\"722a0294-a47b-4cd1-85c0-37f9933552c5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":21,\"i\":\"a008c6c0-0e76-4dc6-802b-72d68ad0c10d\"},\"panelIndex\":\"a008c6c0-0e76-4dc6-802b-72d68ad0c10d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":21,\"i\":\"0adce98b-c9e8-469b-8cac-fb4ceb35b68a\"},\"panelIndex\":\"0adce98b-c9e8-469b-8cac-fb4ceb35b68a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":20,\"y\":9,\"w\":13,\"h\":21,\"i\":\"2b95ef19-525e-4659-8ab3-67cb0e9dc41a\"},\"panelIndex\":\"2b95ef19-525e-4659-8ab3-67cb0e9dc41a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"bde38fe7-9aec-4e19-b9fe-035ee6a66ef7\"},\"panelIndex\":\"bde38fe7-9aec-4e19-b9fe-035ee6a66ef7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":30,\"w\":24,\"h\":15,\"i\":\"2fa3b43b-f3b3-4eeb-8f32-1a3f2ccfc6c0\"},\"panelIndex\":\"2fa3b43b-f3b3-4eeb-8f32-1a3f2ccfc6c0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":30,\"w\":24,\"h\":15,\"i\":\"79c4ec17-8411-49d8-82af-6921a321dd3b\"},\"panelIndex\":\"79c4ec17-8411-49d8-82af-6921a321dd3b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":34,\"i\":\"779d2461-4d8a-4254-b380-26650a52a026\"},\"panelIndex\":\"779d2461-4d8a-4254-b380-26650a52a026\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - Intel", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "85b529a0-0e5a-11eb-a255-e1e8e85e3571", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "db8c57c0-0e5c-11eb-a255-e1e8e85e3571", "name": "panel_5", "type": "visualization"}, {"id": "b4222d00-0e60-11eb-a255-e1e8e85e3571", "name": "panel_6", "type": "visualization"}, {"id": "6b109430-0e60-11eb-a255-e1e8e85e3571", "name": "panel_7", "type": "visualization"}, {"id": "ec57d300-0e60-11eb-a255-e1e8e85e3571", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 1992], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SMB - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per minute\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "85e40a70-3aac-11e7-8b17-0d8709b02c80", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1994], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Authentication Status (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RFB - Authentication Status (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"auth.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Status\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "869e3030-371e-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 1996], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Modbus - Exception", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Modbus - Exception\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"modbus.exception.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"modbus.exception.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Exception\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "93cdb730-75be-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 1998], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:modbus\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\"},\"panelIndex\":\"dcdc1d0b-bec1-402d-a34b-39464e9a2749\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\"},\"panelIndex\":\"ccbb40c9-d2e4-4592-a91f-b1f6912a35f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\"},\"panelIndex\":\"32fd8cfa-64ad-41d7-b4f7-2c71f351916a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"b15f438a-6f24-4099-90e6-d66f950029bc\"},\"panelIndex\":\"b15f438a-6f24-4099-90e6-d66f950029bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\"},\"panelIndex\":\"089f29d5-cf23-4b6a-8b80-27911ffd6b1a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":14,\"h\":19,\"i\":\"4154e8b1-e314-4623-aaf4-0404a108551a\"},\"panelIndex\":\"4154e8b1-e314-4623-aaf4-0404a108551a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\"},\"panelIndex\":\"8acbc44d-4fe2-42b0-a6e9-4a3bc4e4aeb6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"c4d3c93a-746f-4edc-835c-66f1380fc5d4\"},\"panelIndex\":\"c4d3c93a-746f-4edc-835c-66f1380fc5d4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Modbus", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "886a7b90-75bd-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "62449800-75be-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "93cdb730-75be-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2007], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "PE - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"PE - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "9cffd160-363f-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2009], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjcwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "PE - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"PE - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHCUeZxQT5EBNmq4Xy", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2011], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjcxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":16,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"fuid\",\"machine\",\"is_exe\",\"is_64bit\",\"subsystem\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "z16.04 - Bro - PE", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "8a10e380-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "9cffd160-363f-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "45c4ae10-380c-11e7-a1cc-ebc6a7e70e84", "name": "panel_2", "type": "visualization"}, {"id": "807da390-380c-11e7-a1cc-ebc6a7e70e84", "name": "panel_3", "type": "visualization"}, {"id": "66288140-342e-11e7-9e93-53b62e1857b2", "name": "panel_4", "type": "search"}, {"id": "4e56b4d0-416f-11e7-9850-b78558d0ac17", "name": "panel_5", "type": "visualization"}, {"id": "7de76e10-6e1f-11e7-b553-7f80727663c1", "name": "panel_6", "type": "visualization"}, {"id": "AWDHCUeZxQT5EBNmq4Xy", "name": "panel_7", "type": "visualization"}], "sort": [1643385898421, 2020], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSH - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8a60eb50-365f-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2022], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSH - HASSH", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSH - HASSH\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.hassh.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8afa5f50-75eb-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2024], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc0LDE1XQ=="} +{"attributes": {"description": "based on the Endgame - Categories with Full Event Type viz, modded by rlp 20211220", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - Event Categories", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"asc\"}}}}", "version": 1, "visState": "{\"title\":\"Endgame - Event Categories\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"event.category\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"showToolbar\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"row\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "8b3bb5c0-61af-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2027], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"129a936c-78f7-4b8a-91a7-712c80565727": {"columnOrder": ["4335200b-f044-42ae-88fb-5a21866cebe0", "b9c21cd1-839b-4e12-b602-b834e52e378e", "4c86d61d-2f88-4bfc-b2be-474179593cba"], "columns": {"4335200b-f044-42ae-88fb-5a21866cebe0": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "type", "operationType": "terms", "params": {"missingBucket": true, "orderBy": {"columnId": "4c86d61d-2f88-4bfc-b2be-474179593cba", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "type"}, "4c86d61d-2f88-4bfc-b2be-474179593cba": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "b9c21cd1-839b-4e12-b602-b834e52e378e": {"customLabel": true, "dataType": "ip", "isBucketed": true, "label": "host.ip", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "4c86d61d-2f88-4bfc-b2be-474179593cba", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.ip"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "registry"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "registry"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "4335200b-f044-42ae-88fb-5a21866cebe0", "isTransposed": false}, {"columnId": "b9c21cd1-839b-4e12-b602-b834e52e378e", "isTransposed": false}, {"columnId": "4c86d61d-2f88-4bfc-b2be-474179593cba", "isTransposed": false}], "layerId": "129a936c-78f7-4b8a-91a7-712c80565727", "layerType": "data"}}, "title": "Endgame - Registry Type", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "8d1f99e0-6e45-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-129a936c-78f7-4b8a-91a7-712c80565727", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2032], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3b6026b4-9c36-4fbc-9f90-bd5580303bea": {"columnOrder": ["d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721", "ff0a89b4-427d-4739-bb83-86794a1f4289"], "columns": {"d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 20}, "scale": "ordinal", "sourceField": "user.name"}, "ff0a89b4-427d-4739-bb83-86794a1f4289": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.kind : \"alert\" "}, "visualization": {"columns": [{"columnId": "d3b0fc48-6659-4b1a-b57d-a8b2ee3e8721"}, {"columnId": "ff0a89b4-427d-4739-bb83-86794a1f4289"}], "layerId": "3b6026b4-9c36-4fbc-9f90-bd5580303bea", "layerType": "data"}}, "title": "Endgame - Alerted Users", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "8da24210-6cbe-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3b6026b4-9c36-4fbc-9f90-bd5580303bea", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2036], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Notice Generated (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Weird - Notice Generated (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8dbbbed0-364e-11e7-9dc3-d35061cb642d", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2038], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RDP - Client Build", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RDP - Client Build\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"client_build.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Client Build\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8e18ee60-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2040], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjc5LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"367cf35f-001a-4014-acc6-677bc504a945": {"columnOrder": ["6170616f-f2d9-47b9-8bdd-aeb746b4b2cb", "217236ba-3def-46da-8aa0-3c41d3484a50"], "columns": {"217236ba-3def-46da-8aa0-3c41d3484a50": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "6170616f-f2d9-47b9-8bdd-aeb746b4b2cb": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "event.type", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "217236ba-3def-46da-8aa0-3c41d3484a50", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.type"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "file"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "file"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "6170616f-f2d9-47b9-8bdd-aeb746b4b2cb"}, {"columnId": "217236ba-3def-46da-8aa0-3c41d3484a50"}], "layerId": "367cf35f-001a-4014-acc6-677bc504a945", "layerType": "data"}}, "title": "Endgame - File Event Type", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "8f2285f0-6d6d-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-367cf35f-001a-4014-acc6-677bc504a945", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2045], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "SSL - Certificate Common Name Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "8fa702e0-6f0b-11e7-9d31-23c0596994a7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2047], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjgxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Files - MIME Type", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Files - MIME Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"file.mimetype.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"file.mimetype.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"MIMEType\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "8fb3c480-75f2-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2049], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "All Sensors - Log Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"All Sensors - Log Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Log Type(s)\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "901bda80-a83f-11e7-893a-1b88920b2837", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2051], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RADIUS - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ccb3e270-363f-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2053], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "b48442b0-3808-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2055], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "cea78b70-3808-11e7-a1cc-ebc6a7e70e84", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2057], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "b0456970-6e1f-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2059], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHCgWzxQT5EBNmq4Y5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2061], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RADIUS - Username", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RADIUS - Username\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"username.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Username\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e827bab0-4a5a-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2063], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjg5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":56,\"w\":24,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":24,\"h\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":20,\"h\":24,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "z16.04 - Bro - RADIUS", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "90b246c0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "ccb3e270-363f-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "b48442b0-3808-11e7-a1cc-ebc6a7e70e84", "name": "panel_2", "type": "visualization"}, {"id": "cea78b70-3808-11e7-a1cc-ebc6a7e70e84", "name": "panel_3", "type": "visualization"}, {"id": "10cd7190-3809-11e7-a1cc-ebc6a7e70e84", "name": "panel_4", "type": "visualization"}, {"id": "5df79fe0-3809-11e7-a1cc-ebc6a7e70e84", "name": "panel_5", "type": "visualization"}, {"id": "75545310-342e-11e7-9e93-53b62e1857b2", "name": "panel_6", "type": "search"}, {"id": "b0456970-6e1f-11e7-b553-7f80727663c1", "name": "panel_7", "type": "visualization"}, {"id": "AWDHCgWzxQT5EBNmq4Y5", "name": "panel_8", "type": "visualization"}, {"id": "e827bab0-4a5a-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}, {"id": "30348db0-4a5b-11e8-9b0a-f1d33346f773", "name": "panel_10", "type": "visualization"}], "sort": [1643385898421, 2075], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjkwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SIP - Destination Country (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SIP - Destination Country (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "90bf0a80-3750-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2077], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"indexRefName\": \"kibanaSavedObjectMeta.searchSourceJSON.index\"\n}"}, "title": "Security Onion - Rule - ID", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"Security Onion - Rule - ID\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.uuid\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"ID\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "91bd9990-7737-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2079], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Log Count Over Time", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 30 seconds\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "92b202e0-76b4-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2081], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MjkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Host - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Host - Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Agent Name\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"agent.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f03402e0-72bc-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2083], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.category:host\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c743998d-d4c5-429f-87ce-67bac2649e72\"},\"panelIndex\":\"c743998d-d4c5-429f-87ce-67bac2649e72\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":15,\"h\":8,\"i\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\"},\"panelIndex\":\"8acc6336-35b7-4c1a-b0ef-3b3ec6870b1f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":0,\"w\":25,\"h\":8,\"i\":\"8485e0bf-8342-42ff-82b4-eb2611191060\"},\"panelIndex\":\"8485e0bf-8342-42ff-82b4-eb2611191060\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":18,\"i\":\"ba08df96-10b9-4b30-803f-f40387867ccc\"},\"panelIndex\":\"ba08df96-10b9-4b30-803f-f40387867ccc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":8,\"w\":7,\"h\":18,\"i\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\"},\"panelIndex\":\"254bcae3-60d3-4193-b258-6f9f3eba0af3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":15,\"y\":8,\"w\":8,\"h\":18,\"i\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\"},\"panelIndex\":\"89d115c0-ee70-4250-9742-fb3c554e69a7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":8,\"w\":25,\"h\":18,\"i\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\"},\"panelIndex\":\"0c1675bb-01ef-4020-95f1-3f35e0c6fad8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":20,\"i\":\"38bc9e98-7934-4d1b-89fa-1b57765086c3\"},\"panelIndex\":\"38bc9e98-7934-4d1b-89fa-1b57765086c3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Host", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "92e63cc0-6ec0-11ea-9266-1fd14ca6af34", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "df50eba0-6ec0-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "8b065a80-6eca-11ea-9266-1fd14ca6af34", "name": "panel_3", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_4", "type": "visualization"}, {"id": "f03402e0-72bc-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "758187b0-72bd-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "a866be10-0e45-11eb-a255-e1e8e85e3571", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2092], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Content Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"content_type.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Content Type\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "930b1600-3753-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2094], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:ossec AND event.dataset:alert\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":8,\"w\":12,\"h\":19,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":12,\"y\":8,\"w\":11,\"h\":19,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":23,\"y\":8,\"w\":7,\"h\":19,\"i\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\"},\"panelIndex\":\"a4bd8139-6fdd-476e-b6ff-8dd036e0f747\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":30,\"y\":8,\"w\":8,\"h\":19,\"i\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\"},\"panelIndex\":\"df2cccc2-5ac2-4522-9756-76a16ba2b0ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\"},\"panelIndex\":\"8b5674df-aad2-4af7-aa91-90a9d3e3980c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":21,\"i\":\"365259e4-659e-4950-8e82-b8d8fc7fadca\"},\"panelIndex\":\"365259e4-659e-4950-8e82-b8d8fc7fadca\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - Wazuh", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9480f190-7732-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "508fb520-72af-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "f7e1d570-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "91bd9990-7737-11ea-bee5-af7f7c7b8e05", "name": "panel_5", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "407784f0-7738-11ea-bee5-af7f7c7b8e05", "name": "panel_7", "type": "visualization"}, {"id": "a866be10-0e45-11eb-a255-e1e8e85e3571", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 2104], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Total Number of Logs", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Total Number of Logs\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Total Number of Logs\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDGyaGxxQT5EBNmq3K9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2106], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Sensors - Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Sensors - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"sensor_name.keyword\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDGzmzcxQT5EBNmq3Sj", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2108], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mjk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Devices - Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Devices - Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"syslog-host_from.keyword\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG0UDvxQT5EBNmq3WD", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2110], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzAwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":132,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":16,\"x\":0,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":32,\"x\":32,\"y\":24,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":16,\"x\":32,\"y\":8,\"i\":\"33\"},\"panelIndex\":\"33\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":16,\"x\":40,\"y\":8,\"i\":\"34\"},\"panelIndex\":\"34\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":0,\"y\":72,\"i\":\"35\"},\"panelIndex\":\"35\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":16,\"y\":72,\"i\":\"36\"},\"panelIndex\":\"36\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":8,\"x\":32,\"y\":72,\"i\":\"37\"},\"panelIndex\":\"37\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"38\"},\"panelIndex\":\"38\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":108,\"i\":\"39\"},\"panelIndex\":\"39\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":28,\"x\":24,\"y\":80,\"i\":\"40\"},\"panelIndex\":\"40\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":28,\"x\":0,\"y\":80,\"i\":\"41\"},\"panelIndex\":\"41\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_15\"}]", "timeRestore": false, "title": "z16.04 - Overview", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "94b52620-342a-11e7-9d52-4f090484f59e", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "panel_1", "type": "search"}, {"id": "1c2aeb50-365e-11e7-b896-5bdd6bfa1561", "name": "panel_2", "type": "visualization"}, {"id": "277f3250-4161-11e7-8493-51634b0a4565", "name": "panel_3", "type": "visualization"}, {"id": "901bda80-a83f-11e7-893a-1b88920b2837", "name": "panel_4", "type": "visualization"}, {"id": "5b3988c0-a840-11e7-893a-1b88920b2837", "name": "panel_5", "type": "visualization"}, {"id": "AWDGyaGxxQT5EBNmq3K9", "name": "panel_6", "type": "visualization"}, {"id": "AWDGzmzcxQT5EBNmq3Sj", "name": "panel_7", "type": "visualization"}, {"id": "AWDG0UDvxQT5EBNmq3WD", "name": "panel_8", "type": "visualization"}, {"id": "AWDG1uC-xQT5EBNmq3dP", "name": "panel_9", "type": "visualization"}, {"id": "AWDG3ym0xQT5EBNmq3mG", "name": "panel_10", "type": "visualization"}, {"id": "AWDG4pcDxQT5EBNmq3pi", "name": "panel_11", "type": "visualization"}, {"id": "733ce440-494d-11e8-9576-313be7c6b44b", "name": "panel_12", "type": "visualization"}, {"id": "2a949080-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_13", "type": "visualization"}, {"id": "96c2cf10-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_14", "type": "visualization"}, {"id": "ee0ba080-4a3d-11e8-9b0a-f1d33346f773", "name": "panel_15", "type": "visualization"}], "sort": [1643385898421, 2127], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - PE - OS", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.os.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"OS\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - PE - OS\"}"}, "coreMigrationVersion": "7.16.2", "id": "b449a870-c762-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2129], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzAyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:pe\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\"},\"panelIndex\":\"858c0209-49ab-4c0c-9b9c-bc71e363be32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":12,\"h\":9,\"i\":\"94db978d-70ba-4ade-a680-1297961aa832\"},\"panelIndex\":\"94db978d-70ba-4ade-a680-1297961aa832\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":9,\"i\":\"8973a749-ddc9-4476-8946-280e748da61e\"},\"panelIndex\":\"8973a749-ddc9-4476-8946-280e748da61e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":18,\"i\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\"},\"panelIndex\":\"8797e1d3-84b0-4840-9ba3-6e74f15a5f08\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":9,\"w\":15,\"h\":18,\"i\":\"b9da8481-6781-4431-83de-c51834199de7\"},\"panelIndex\":\"b9da8481-6781-4431-83de-c51834199de7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":10,\"h\":18,\"i\":\"ceba5670-4f26-411e-a19a-e130cf715228\"},\"panelIndex\":\"ceba5670-4f26-411e-a19a-e130cf715228\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":35,\"y\":9,\"w\":13,\"h\":18,\"i\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\"},\"panelIndex\":\"5f1b3a55-7919-448d-897c-fc7166b283d0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"767dc27a-2b54-4360-bb34-c1a41528ad25\"},\"panelIndex\":\"767dc27a-2b54-4360-bb34-c1a41528ad25\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - PE", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "94b55b90-c761-11ea-bebb-37c5ab5894ea", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "80a39cb0-c762-11ea-bebb-37c5ab5894ea", "name": "panel_3", "type": "visualization"}, {"id": "b449a870-c762-11ea-bebb-37c5ab5894ea", "name": "panel_4", "type": "visualization"}, {"id": "07419650-c763-11ea-bebb-37c5ab5894ea", "name": "panel_5", "type": "visualization"}, {"id": "282bf2c0-c763-11ea-bebb-37c5ab5894ea", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2138], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzAzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:snmp\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\"},\"panelIndex\":\"752f2974-3abc-482c-afdc-c85cf5643cc6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\"},\"panelIndex\":\"dfa3b3da-b86b-4d11-add3-c7e18c40654b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"4c444c07-93f9-43d2-966e-1a0db864c011\"},\"panelIndex\":\"4c444c07-93f9-43d2-966e-1a0db864c011\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\"},\"panelIndex\":\"3f20fbbb-d47b-4b9e-94a0-f5f144ce0dd2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":19,\"i\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\"},\"panelIndex\":\"5c5850b6-1e17-4d4a-9122-8d6a6b275fb0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":19,\"i\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\"},\"panelIndex\":\"2df47b07-dcfd-46a9-a908-cd03bb3ae82e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":19,\"i\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\"},\"panelIndex\":\"7fec36da-2c28-4eef-9d15-bd5d64628d1d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"db2dff22-e4c1-41ea-a07d-8c0b0080cb04\"},\"panelIndex\":\"db2dff22-e4c1-41ea-a07d-8c0b0080cb04\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - SNMP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "96522610-75e8-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "424ace90-75e9-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "690ef880-75e9-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2147], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - \"To\" Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - \\\"To\\\" Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"recipient_to.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\\\"To\\\" Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "96767400-39a2-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2149], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RDP - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "fd549d70-363f-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2151], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RDP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f9a16c80-371b-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2153], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RDP - Keyboard Layout (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RDP - Keyboard Layout (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"keyboard_layout.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Keyboard Layout\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "be7637c0-371c-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2155], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RDP - Result (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RDP - Result (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"result.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Result\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c4f37d70-6e20-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2157], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "RDP - Encryption Level (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"RDP - Encryption Level (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0,\"filter\":true},\"title\":{\"text\":\"Encryption Level\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"encryption_level.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Encryption Level\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ef307a70-6e20-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2159], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RDP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"RDP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHCvBexQT5EBNmq4aK", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2161], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzExLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":12,\"x\":36,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":12,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":20,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - Bro - RDP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "97f8c3a0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "fd549d70-363f-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "823dd600-342e-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "f9a16c80-371b-11e7-90f8-87842d5eedc9", "name": "panel_3", "type": "visualization"}, {"id": "0b9dea80-371c-11e7-90f8-87842d5eedc9", "name": "panel_4", "type": "visualization"}, {"id": "19dfd180-371c-11e7-90f8-87842d5eedc9", "name": "panel_5", "type": "visualization"}, {"id": "524e13b0-371c-11e7-90f8-87842d5eedc9", "name": "panel_6", "type": "visualization"}, {"id": "75597b60-371c-11e7-90f8-87842d5eedc9", "name": "panel_7", "type": "visualization"}, {"id": "8e18ee60-371c-11e7-90f8-87842d5eedc9", "name": "panel_8", "type": "visualization"}, {"id": "be7637c0-371c-11e7-90f8-87842d5eedc9", "name": "panel_9", "type": "visualization"}, {"id": "c4f37d70-6e20-11e7-b553-7f80727663c1", "name": "panel_10", "type": "visualization"}, {"id": "ef307a70-6e20-11e7-b553-7f80727663c1", "name": "panel_11", "type": "visualization"}, {"id": "AWDHCvBexQT5EBNmq4aK", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 2175], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzEyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSH - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "9a33f9a0-365f-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2177], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "9a54f150-366e-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2179], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE0LDE1XQ=="} +{"attributes": {"columns": ["source_ip", "name", "software_type"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"filter\":[],\"query\":{\"query_string\":{\"query\":\"event_type:bro_software\",\"analyze_wildcard\":true}},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Software - Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ba3d77e0-342e-11e7-9e93-53b62e1857b2", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2181], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Software - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Software - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_major.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Major Version\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version_minor.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Minor Version\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"software_type.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"6\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9b0f6a80-4c7a-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ba3d77e0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2183], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Zeek - Notice", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Zeek - Notice\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.note.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Notice\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9c6ccff0-7a84-11ea-9d13-57f5db13d1ed", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2185], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[{\"meta\":{\"negate\":true,\"disabled\":true,\"alias\":\"Initial Systems/Queries\",\"type\":\"phrase\",\"key\":\"osquery.counter\",\"params\":{\"query\":0},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"type\":\"phrases\",\"key\":\"osquery.codename\",\"value\":\"server\",\"params\":[\"server\"],\"negate\":false,\"disabled\":true,\"alias\":\"Servers Only\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"bool\":{\"should\":[{\"match_phrase\":{\"osquery.codename\":\"server\"}}],\"minimum_should_match\":1}},\"$state\":{\"store\":\"appState\"}}]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":27,\"w\":40,\"h\":21,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"osquery.hostname\",\"osquery.name\",\"osquery.LiveQuery\",\"osquery.EndpointIP1\",\"osquery.EndpointIP2\"],\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":13,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":13,\"w\":40,\"h\":14,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Changes by Type\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":13,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Changes by Hostname\",\"panelRefName\":\"panel_4\"}]", "timeRestore": false, "title": "z16.04 - osquery - Overview", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9d0e2da0-14e1-11e9-82f7-0da02d93a48b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "84116380-14e1-11e9-82f7-0da02d93a48b", "name": "panel_1", "type": "search"}, {"id": "2f556c90-14e3-11e9-82f7-0da02d93a48b", "name": "panel_2", "type": "visualization"}, {"id": "369e16e0-14e4-11e9-82f7-0da02d93a48b", "name": "panel_3", "type": "visualization"}, {"id": "05a5ed10-14e4-11e9-82f7-0da02d93a48b", "name": "panel_4", "type": "visualization"}], "sort": [1643385898421, 2193], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Top Source Ports", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Top Source Ports\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.port\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9d3413c0-6ea0-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2195], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzE5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:ssh\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\"},\"panelIndex\":\"b816ee0e-45c6-438d-a4ed-799d9e80a9f0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\"},\"panelIndex\":\"cbfd7081-d82b-4e29-b21c-6e9584d67328\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\"},\"panelIndex\":\"d9b0c92a-8625-4e72-8a7c-333381e17244\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\"},\"panelIndex\":\"766c95ce-e20f-4e88-935f-2211b7be6b65\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\"},\"panelIndex\":\"e9ec8c9e-8a76-4501-abcb-2c9c08adfc44\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":13,\"h\":19,\"i\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\"},\"panelIndex\":\"c2747e56-14c2-4a70-a1a7-e31affae20f8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":8,\"w\":15,\"h\":19,\"i\":\"ff324073-699d-4b26-b4fd-28190fa3803b\"},\"panelIndex\":\"ff324073-699d-4b26-b4fd-28190fa3803b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":17,\"h\":18,\"i\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\"},\"panelIndex\":\"248c6442-b868-4e06-bfaa-e6da2d2d7463\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":27,\"w\":16,\"h\":18,\"i\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\"},\"panelIndex\":\"d24e4833-8b52-45ac-ac3f-bb31379e8380\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":27,\"w\":15,\"h\":18,\"i\":\"6711f807-284e-4025-99bb-cee25c0e970d\"},\"panelIndex\":\"6711f807-284e-4025-99bb-cee25c0e970d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":29,\"i\":\"3d4c3a76-579f-494d-b87c-d594fea44d83\"},\"panelIndex\":\"3d4c3a76-579f-494d-b87c-d594fea44d83\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - SSH", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9dfd77e0-75eb-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "292b1db0-75ea-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "46221fe0-75ea-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "7d61f430-75ea-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "104a4a90-75eb-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "8afa5f50-75eb-11ea-9565-7315f4ee5cac", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 2207], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzIwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DCE/RPC - Endpoint", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DCE/RPC - Endpoint\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.endpoint.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a427d6e0-96db-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2209], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzIxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DCE/RPC - Named Pipe", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DCE/RPC - Named Pipe\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.named_pipe.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Named Pipe\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c2f21270-96db-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2211], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DCE/RPC - Operation", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DCE/RPC - Operation\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dce_rpc.operation.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Operation\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "df7989f0-96db-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2213], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzIzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dce_rpc\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\"},\"panelIndex\":\"95dc50d5-926a-4ab3-a746-0e53f475d658\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":14,\"h\":9,\"i\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\"},\"panelIndex\":\"5b559994-ed67-43c8-8eed-ab30fd8b3d26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":9,\"i\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\"},\"panelIndex\":\"4251a61c-1dcd-47b3-9866-f7ed939c73d4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":21,\"i\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\"},\"panelIndex\":\"e74255f5-4dc6-4df0-ab24-032dd7d4bc02\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":21,\"i\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\"},\"panelIndex\":\"55f5c9e0-264b-44d1-9b49-0bb7890ef4bd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":9,\"h\":21,\"i\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\"},\"panelIndex\":\"2a33a3df-4690-4ea4-a71a-9c98cb612213\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":9,\"w\":8,\"h\":21,\"i\":\"ee61c32f-e801-494f-a819-b5788bed856f\"},\"panelIndex\":\"ee61c32f-e801-494f-a819-b5788bed856f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":21,\"i\":\"f7c23591-431c-4a4c-a69b-a349c37697da\"},\"panelIndex\":\"f7c23591-431c-4a4c-a69b-a349c37697da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":30,\"w\":48,\"h\":29,\"i\":\"f360db9a-9572-4b67-8be4-6f53084940a3\"},\"panelIndex\":\"f360db9a-9572-4b67-8be4-6f53084940a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - DCE/RPC", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9e882df0-72c5-11ea-8dd2-9d8795a1200b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "a427d6e0-96db-11ea-814e-bb515e873c2c", "name": "panel_5", "type": "visualization"}, {"id": "c2f21270-96db-11ea-814e-bb515e873c2c", "name": "panel_6", "type": "visualization"}, {"id": "df7989f0-96db-11ea-814e-bb515e873c2c", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 2223], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI0LDE1XQ=="} +{"attributes": {"columns": ["_source"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "Security Onion - Osquery", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9eed5fc0-afcb-11ea-b262-353d451b125b", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2225], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Authentication Method", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Method\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bf47f4c0-371e-11e7-90f8-87842d5eedc9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2227], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "bbbe5a80-6e21-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2229], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d6ec3570-6e21-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2231], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"RFB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e8982270-6e21-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2233], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Authentication Method (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"RFB - Authentication Method (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"authentication_method.keyword\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Method\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c24191f0-6e22-11e7-b553-7f80727663c1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2235], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzMwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "RFB - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"RFB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHC8iGxQT5EBNmq4bs", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2237], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzMxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":56,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":56,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":80,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":80,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":80,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":12,\"x\":8,\"y\":20,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]", "timeRestore": false, "title": "z16.04 - Bro - RFB", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "9ef20ae0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "265a04d0-3640-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "869e3030-371e-11e7-90f8-87842d5eedc9", "name": "panel_2", "type": "visualization"}, {"id": "bf47f4c0-371e-11e7-90f8-87842d5eedc9", "name": "panel_3", "type": "visualization"}, {"id": "14274040-371f-11e7-90f8-87842d5eedc9", "name": "panel_4", "type": "visualization"}, {"id": "63c072c0-371f-11e7-90f8-87842d5eedc9", "name": "panel_5", "type": "visualization"}, {"id": "8ba53710-342e-11e7-9e93-53b62e1857b2", "name": "panel_6", "type": "search"}, {"id": "bbbe5a80-6e21-11e7-b553-7f80727663c1", "name": "panel_7", "type": "visualization"}, {"id": "d6ec3570-6e21-11e7-b553-7f80727663c1", "name": "panel_8", "type": "visualization"}, {"id": "e8982270-6e21-11e7-b553-7f80727663c1", "name": "panel_9", "type": "visualization"}, {"id": "4fade7b0-6e22-11e7-b553-7f80727663c1", "name": "panel_10", "type": "visualization"}, {"id": "7c1e3f70-6e22-11e7-b553-7f80727663c1", "name": "panel_11", "type": "visualization"}, {"id": "c24191f0-6e22-11e7-b553-7f80727663c1", "name": "panel_12", "type": "visualization"}, {"id": "AWDHC8iGxQT5EBNmq4bs", "name": "panel_13", "type": "visualization"}], "sort": [1643385898421, 2252], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzMyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - Content Type", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - Content Type\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.content_type.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.content_type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "9ff24600-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2254], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"}, "title": "Help", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Help\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"markdown\":\"## Introduction\\nWelcome to the Security Onion Elastic Stack! This is our implementation of the Elastic Stack on Security Onion. The Elastic Stack consists of three primary components:\\n- `Elasticsearch` - stores logs\\n- `Logstash` - collects and enriches logs before storing them in Elasticsearch\\n- `Kibana` - web interface for visualizing logs\\n\\n## Sidebar\\nStarting on the far left side of the page, you see the Sidebar. This contains links such as:\\n- `Discover` - search data\\n- `Visualize` - create visualizations based on searches\\n- `Dashboard` - view or create dashboards based on visualizations\\n- `Timelion` - timeline analysis\\n- `Dev Tools` - query Elasticsearch directly\\n- `Management` - view or modify Kibana settings\\n- `Squert` - separate web interface for viewing NIDS and HIDS alerts\\n- `Logout` - log out of your session\\n\\nThe first six of those links are within Kibana itself. If you click one of those and then want to get back to the Dashboards area where you started, simply click the `Dashboard` link.\\n\\nClicking the `Squert` link will take you out of Kibana and into Squert. You will not be required to authenticate to Squert since you already have an active Single Sign On (SSO) session.\\n\\nClicking the `Logout` link in either Squert or Kibana will log you out of your SSO session and take you back to the logon screen.\\n\\n## Navigation Panel\\nWhen you are in the Kibana Dashboard area, the panel to the immediate right of the sidebar is the Navigation Panel and it includes links to our dashboards such as Home, Help (this page), Bro Notices, ElastAlert, HIDS, NIDS, etc. Clicking one of the links in the Navigation Panel will take you to a dashboard dedicated to that particular log type. \\n\\n## Dashboards\\nAll dashboards are designed to work at 1024x768 screen resolution in order to maximize compatibility.\\n\\n### Dashboard Hyperlinks\\n\\nThe `source_ip` and `destination_ip` fields are hyperlinked. These hyperlinks will take you to the Indicator dashboard which will help you analyze the traffic relating to that particular IP address.\\n\\n`UID` fields are also hyperlinked. This hyperlink will start a new Kibana search for that particular UID. In the case of Bro UIDs this will show you all Bro logs related to that particular connection.\\n\\nEach log entry also has an `_id` field that is hyperlinked. This hyperlink will take you to CapMe, allowing you to request full packet capture for any arbitrary log type. This assumes that the log is for tcp or udp traffic that was seen by Bro and Bro recorded it correctly in its conn.log. \\n\\n### Overview Dashboard\\nWhen you first go to the Kibana Dashboard area, you are automatically placed into the Overview dashboard, where you will see overview information, such as total number of logs and sensors. Use the information on the Overview dashboard to determine which of the other dashboards on the Navigation Panel you might want to visit next.\\n\\n### Dashboard Categories\\nOur remaining dashboards are grouped into a few categories:\\n- `Alert Data` - dashboards that display alerts created by rules or signatures\\n- `Bro Hunting` - dashboards that allow you to slice and dice network metadata for hunting\\n- `Host Hunting` - dashboards that allow you to hunt via host telemetry\\n- `Other` - dashboards that don't fit into the categories above\\n\\n### Bro Notices\\nBro sniffs network traffic and generates notices such as `SSL::Invalid Server Cert` and `TeamCymruMalwareHashRegistry::Match`.\\n\\n### ElastAlert\\nElastAlert queries Elasticsearch on a regular basis and then generates alerts based on your desired criteria. Security Onion includes two example rules that alert on new IDS events and new connection logs. You can add your own ElastAlert rules in `/etc/elastalert/rules/`.\\n\\n### HIDS\\nOSSEC analyzes log files and generates Host Intrusion Detection System alerts based on its ruleset at `/var/ossec/rules/`. You can add your own rules in `/var/ossec/rules/local_rules.xml`.\\n\\n### NIDS\\nSecurity Onion can use either Snort or Suricata to sniff network traffic and generate Network Intrusion Detection System alerts. \\n\\n### Connections\\nBro sniffs network traffic and logs connection metadata including source IP/port, destination IP/port, protocol, and number of bytes.\\n\\n### DCE/RPC\\nBro sniffs network traffic and logs DCE/RPC metadata including source IP/port, destination IP/port, operation, endpoint, and named pipe.\\n\\n### DHCP\\nBro sniffs network traffic and logs DHCP requests and responses including source IP/port, destination IP/port, and MAC addresses.\\n\\n### DNP3\\nBro sniffs network traffic and logs DNP3 metadata including source IP/port, destination IP/port, function request, function reply.\\n\\n### DNS\\nBro sniffs network traffic and logs DNS queries and answers. Bro also includes other name lookups such as Windows NetBIOS name service requests and Bonjour.\\n\\n### Files\\nBro sniffs network traffic and logs metadata related to files being transferred over the network including IP addresses, MIME type, source, and checksums.\\n\\n### FTP\\nBro sniffs network traffic and logs FTP metadata including source IP/port, destination IP/port, command, reply code, argument, and username.\\n\\n### HTTP\\nBro sniffs network traffic and logs HTTP metadata including source IP/port, destination IP/port, method, status message, MIME type, site name, referer, and user agent.\\n\\n### Intel\\nBro sniffs network traffic and watches for indicators using the Intel framework. You can add your own indicators to `/opt/bro/share/bro/intel/intel.dat`.\\n\\n### IRC\\nBro sniffs network traffic and logs IRC metadata including source IP/port, destination IP/port, command, and username.\\n\\n### Kerberos\\nBro sniffs network traffic and logs Kerberos metadata including source IP/port, destination IP/port, cipher, client, server, service, request type, and success status.\\n\\n### Modbus\\nBro sniffs network traffic and logs Modbus metadata including source IP/port, destination IP/port, and function.\\n\\n### MySQL\\nBro sniffs network traffic and logs MySQL metadata including source IP/port, destination IP/port, command/argument, status, and response.\\n\\n### NTLM\\nBro sniffs network traffic and logs NTLM metadata including source IP/port, destination IP/port, hostname, username, and status.\\n\\n### PE\\nBro sniffs network traffic and logs PE metadata including OS, subsystem, machine, and section name.\\n\\n### RADIUS\\nBro sniffs network traffic and logs RADIUS metadata including source IP/port, destination IP/port, username, and result.\\n\\n### RDP\\nBro sniffs network traffic and logs RDP metadata including source IP/port, destination IP/port, client build, keyboard layout, encryption level, and result.\\n\\n### RFB\\nBro sniffs network traffic and logs RFB metadata including source IP/port, destination IP/port, authentication method, authentication status, client version, server version, and desktop name.\\n\\n### SIP\\nBro sniffs network traffic and logs SIP metadata including source IP/port, destination IP/port, method, content type, status, uri, and user agent.\\n\\n### SMB\\nBro sniffs network traffic and logs SMB metadata including source IP/port, destination IP/port, file name, and action.\\n\\n### SMTP\\nBro sniffs network traffic and logs SMTP metadata including source IP/port, destination IP/port, from, to, subject, and user agent.\\n\\n### SNMP\\nBro sniffs network traffic and logs SNMP metadata including source IP/port, destination IP/port, version, community, and duration.\\n\\n### Software\\nBro sniffs network traffic and logs metadata relating to the kinds of software that generated that traffic including name, type, and version.\\n\\n### SSH\\nBro sniffs network traffic and logs SSH metadata including source IP/port, destination IP/port, client version, server version, and success.\\n\\n### SSL\\nBro sniffs network traffic and logs SSL metadata including source IP/port, destination IP/port, server name, certificate subject, cipher, and validation status.\\n\\n### Syslog\\nBro sniffs network traffic and logs Syslog metadata including source IP/port, destination IP/port, severity, and protocol.\\n\\n### Tunnels\\nBro sniffs network traffic and detects IP, GRE, SOCKS, TEREDO, and AVAYA tunnels. It logs metadata including source IP/port, destination IP/port, type, and action.\\n\\n### Weird\\nBro sniffs network traffic and logs protocol anomalies metadata including source IP/port, destination IP/port, and the type of anomaly.\\n\\n### X.509\\nBro sniffs network traffic and logs X.509 metadata including certificate subject, issuer, key algorithm, key length, and signing algorithm.\\n\\n### Autoruns\\nSysinternals Autoruns can identify the processes which Windows is configured to automatically run. Autoruns data can then be ingested via [Autoruns To WinEventLog](https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog).\\n\\n### Beats\\nElastic Beats can be deployed on endpoints to collect host telemetry and send to Logstash for storage in Elasticsearch.\\n\\n### OSSEC\\nOSSEC agents can be deployed on endpoints to collect host telemetry and send to the OSSEC Server included in Security Onion. OSSEC Alerts can be found in the Alert Data category at the top of the Navigation Panel. This OSSEC hunting dashboard will allow you to hunt through all OSSEC logs, not just alerts.\\n\\n### Sysmon\\nSysinternal Sysmon provides comprehensive telemetry for Windows hosts. Its logs can be consumed using Beats, OSSEC, or other transport mechanism.\\n\\n### Domain Stats\\nSecurity Onion includes a tool called domain_stats which will do a whois lookup on a domain name to determine the age of the domain. If enabled, this dashboard looks for baby domains that have been recently registered. Please note that domain_stats is only enabled when running in Evaluation Mode.\\n\\n### Firewall\\nFirewall logs can be consumed via syslog or other transport mechanism. Once consumed, this dashboard allows you to slice and dice those firewall logs based on source IP/port, destination IP/port, protocol, and action.\\n\\n### Frequency\\nSecurity Onion includes a tool called freq_server which can perform frequency analysis of hostnames. If enabled, this dashboard will show hostnames with a frequency analysis score that indicates that they could have been randomly generated. Please note that freq_server is only enabled when running in Evaluation Mode.\\n\\n### Stats\\nThis dashboard shows statistics for Logstash including processing times for different log types and any errors that may have occurred.\\n\\n## More Information\\nFor additional information, please refer to our documentation at:\\n\\nhttps://securityonion.net/docs/Elastic\",\"type\":\"markdown\"},\"aggs\":[]}"}, "coreMigrationVersion": "7.16.2", "id": "AV6-PHKnDwoBUzALqJ_c", "migrationVersion": {"visualization": "7.14.0"}, "references": [], "sort": [1643385898421, 2255], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":204,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "z16.04 - Help", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "AV6-POJSDwoBUzALqKAg", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "AV6-PHKnDwoBUzALqJ_c", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 2258], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "SSL - Certificate Issuer Common Name Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Certificate Issuer Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Common Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a83f17c0-6f0b-11e7-9d31-23c0596994a7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2260], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_ssl AND _exists_:server_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "SSL - Certificate Server Name Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Certificate Server Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"server_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c2e54c20-6f0b-11e7-9d31-23c0596994a7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2262], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:certificate_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "X.509 - Certificate Common Name Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Common Name Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"certificate_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e03ba1d0-6f0a-11e7-83d2-adea2f314dc5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2264], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_common_name_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "X.509 - Certificate Issuer Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Issuer Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_common_name_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_common_name.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "acd38970-6f0a-11e7-83d2-adea2f314dc5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2266], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzM5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_x509 AND _exists_:issuer_organization_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "X.509 - Certificate Issuer Organization Frequency Analysis", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Issuer Organization Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"issuer_organization_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"issuer_organization.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Issuer Organization\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c3f244c0-6f0a-11e7-83d2-adea2f314dc5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2268], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query_string\":{\"query\":\"event_type:bro_dns AND _exists_:parent_domain_frequency_score\",\"analyze_wildcard\":true}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "DNS - Parent Domain Frequency Analysis", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"DNS - Parent Domain Frequency Analysis\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"min\",\"schema\":\"metric\",\"params\":{\"field\":\"parent_domain_frequency_score\",\"customLabel\":\"Frequency Score\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"highest_registered_domain.keyword\",\"size\":50,\"order\":\"asc\",\"orderBy\":\"1\",\"customLabel\":\"Domain\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c9f5d3a0-6f05-11e7-b253-211f64f37eda", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2270], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":52,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":76,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":76,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":100,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":100,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":124,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":124,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":52,\"x\":0,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":80,\"x\":0,\"y\":148,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":28,\"x\":8,\"y\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "z16.04 - Frequency Analysis", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "AWAi5k4jAvKNGEbUWFis", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f1f00a0-6f04-11e7-b253-211f64f37eda", "name": "panel_0", "type": "visualization"}, {"id": "7d1ede50-6f19-11e7-86c8-a1b6db3b051a", "name": "panel_1", "type": "visualization"}, {"id": "8fa702e0-6f0b-11e7-9d31-23c0596994a7", "name": "panel_2", "type": "visualization"}, {"id": "a83f17c0-6f0b-11e7-9d31-23c0596994a7", "name": "panel_3", "type": "visualization"}, {"id": "c2e54c20-6f0b-11e7-9d31-23c0596994a7", "name": "panel_4", "type": "visualization"}, {"id": "e03ba1d0-6f0a-11e7-83d2-adea2f314dc5", "name": "panel_5", "type": "visualization"}, {"id": "acd38970-6f0a-11e7-83d2-adea2f314dc5", "name": "panel_6", "type": "visualization"}, {"id": "c3f244c0-6f0a-11e7-83d2-adea2f314dc5", "name": "panel_7", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_8", "type": "visualization"}, {"id": "aa05e920-3433-11e7-8867-29a39c0f86b2", "name": "panel_9", "type": "search"}, {"id": "c9f5d3a0-6f05-11e7-b253-211f64f37eda", "name": "panel_10", "type": "visualization"}], "sort": [1643385898421, 2282], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":48,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":36,\"x\":0,\"y\":48,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"columns\":[\"_source\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"}]", "timeRestore": false, "title": "z16.04 - Baby Domains", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "AWAi6wvxAvKNGEbUWO_j", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "41ec0ca0-6f13-11e7-86c8-a1b6db3b051a", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "fce833e0-6f12-11e7-86c8-a1b6db3b051a", "name": "panel_2", "type": "search"}], "sort": [1643385898421, 2286], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQzLDE1XQ=="} +{"attributes": {"fieldFormatMap": "{\"process_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}},\"event_id\":{\"id\":\"number\",\"params\":{\"pattern\":\"0\"}}}", "fields": "[{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_source\",\"type\":\"_source\",\"count\":0,\"scripted\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"aa\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"aa.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"action.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"alert_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"analyzer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"analyzer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"answers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"answers.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"apache2.error.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"apache2.error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"assigned_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.a0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.acct\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.item\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.items\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.new_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_auid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.old_ses\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.ppid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.record_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.res\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auditd.log.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"auth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"auth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_attempts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"authentication_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"authentication_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_ca\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"basic_constraints_ca.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"basic_constraints_path_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"bound_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"call_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"call_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"category.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_exponent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_exponent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_key_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_key_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_not_valid_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_number_days_valid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_permanent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_permanent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_signing_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_signing_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"certificate_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"certificate_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"checksum\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"checksum.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cipher_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cipher_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"class.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"classification\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"classification.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_build.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_chain_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_chain_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_digital_product_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_digital_product_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_issuer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_issuer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"client_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"client_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"community\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"community.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"company.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compile_ts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compile_ts.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"compression_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"compression_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"computer_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connect_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connect_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"connection_state_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"connection_state_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"content_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"content_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cookie\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"cookie.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"creation_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"current_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"current_directory.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"curve.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_passive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"data_channel_passive.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_channel_source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dcc_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dcc_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"desktop_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"desktop_width\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dest_is_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dest_is_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_city\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_city.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.country_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_latitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_latitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_longitude\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_longitude.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination_region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"destination_region.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"details.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dir\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dir.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"direction.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"display_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"display_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"docker.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_age\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_age.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"domain_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"domain_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dropped\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dropped.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"enabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"enabled.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"encryption_method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"encryption_method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"endpoint.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"entry_location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"entry_location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"error_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"escalated_user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"escalated_user.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"established\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"established.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AlgorithmName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ConfigurationFileHash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.CurrentDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DestinationPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Details\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.DirtyPages\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ElevatedToken\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.EventType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ExtraInfoString\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FilterID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Hashes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.HiveNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImagePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyFilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeyType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.KeysUpdated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.OriginalSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentCommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentImage\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ParentProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ProviderName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.RestrictedAdminMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ReturnCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceHostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourceIsIpv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SourcePort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.StartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetFilename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLinkedLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetObject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetOutboundUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.User\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.UtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.VirtualAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param10\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param11\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param12\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param13\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param14\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param16\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param17\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param19\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param20\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param21\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param22\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.param9\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.serviceGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateRevisionNumber\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_data.updateTitle\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"event_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"exception\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"exception.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"extracted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"extracted.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fc_request\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fc_request.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_ip.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_mime_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fileset.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"first_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"first_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"flow_label\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"flow_label.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"forwardable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"forwardable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"freq_virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"freq_virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"frequency_scores\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"frequency_scores.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ftp_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ftp_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"function\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"function.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"geoip.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_bulk_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_bulk_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"get_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"get_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_cert_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_cert_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_debug_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_debug_data.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_export_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_export_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"has_import_table\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"has_import_table.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"height\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"helo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"helo.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"highest_registered_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"highest_registered_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"history\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"history.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hop_limit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hop_limit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"host_key_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.debug.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.debug.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.main.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.main.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"icinga.startup.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"icinga.startup.severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"iin\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"iin.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"in_reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"in_reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"indicator_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"indicator_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"info_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"info_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"initiated\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"initiated.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"integrity_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"integrity_level.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"interface\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"interface.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ip_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_flags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_offset.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_protocol_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_tos\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ipv4_tos.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ipv4_ttl\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"irc_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"irc_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_64bit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_64bit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_exe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_exe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_source_ipv6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_source_ipv6.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"is_webmail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"is_webmail.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_common_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_common_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_distinguished_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_locality.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_organization_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_organization_unit.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_serial_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"issuer_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"issuer_state.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.component\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kafka.log.trace.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kafka.log.trace.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kerberos_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kex_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"kex_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keyboard_layout\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"keyboard_layout.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.image\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"kubernetes.pod.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_alert\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_alert.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"last_reply\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"last_reply.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"launch_string\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"launch_string.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"lease_time\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"lease_time.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"length\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"length.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_orig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_orig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"local_respond\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"local_respond.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"location\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"location.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"log_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logged.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logon_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logon_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.log.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.log.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.plugin_params\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.plugin_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.thread\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"logstash.slowlog.took_in_millis\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash.slowlog.took_in_nanos\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"logstash_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mac_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mac_algorithm.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"machine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"machine.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_date\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_date.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mail_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mail_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"matched\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"matched.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"md5.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"message_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.instance_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.machine_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.project_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"meta.cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"method.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mimetype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mimetype.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"missing_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql.error.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.error.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.lock_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.query_time.sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_examined\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.rows_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.timestamp\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql.slowlog.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_argument\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_argument.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_command.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"mysql_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"mysql_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"n\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"named_pipe\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"named_pipe.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"native_file_system\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"native_file_system.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"next_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"next_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.connection_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nginx.error.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nginx.error.tid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"nick\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"nick.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"note\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"note.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"notice\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"notice.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ntlm_success\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ntlm_success.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"num_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"object_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"offset\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"operation.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"orig_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"orig_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_country_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"original_country_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"original_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"os.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_agent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_agent_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ossec_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ossec_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"overflow_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"p\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_domain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_image_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_image_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_guid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"parent_process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"parent_process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"password.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"peer_description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"peer_description.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pesha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"pesha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.database\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.duration\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"postgresql.log.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"postgresql.log.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prev_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"prev_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_arguments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_arguments.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_guid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"profile\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"profile.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"program.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"prospector.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"protocol_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"protocol_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"proxied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"proxied.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_class_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_class_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"query_type_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"query_type_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ra\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"ra.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rcode_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rcode_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rd.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"read_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reason.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"recipient_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"recipient_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"record_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"redis.log.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.log.role\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.cmd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.duration.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"redis.slowlog.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"referrer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rejected\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rejected.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"remote_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"renewable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"renewable.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"reply_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"reply_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_port\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"request_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"request_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_color_depth\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_color_depth.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"requested_resource\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"requested_resource.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_filenames\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_filenames.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_fuids\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_fuids.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resp_mime_types\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resp_mime_types.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_ip_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"respond_packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_len\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_body_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_path.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"response_to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"response_to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"result\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"result.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"resumed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"resumed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rev\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rev.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rig\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rig.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rows.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rtt.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"rule_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"san_dns\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"san_dns.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"second_received\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"second_received.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"section_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"section_names.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"security_protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"security_protocol.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_node\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_node.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seen_where\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seen_where.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sensor_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sensor_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"seq\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"seq.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_fuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_fuid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_certificate_subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_certificate_subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_major_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_major_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_minor_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_minor_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"server_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"server_name_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"service.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"set_requests\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"set_requests.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"severity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"severity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha1.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sha256.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_flag\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_flag.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"share_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"share_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signature_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"signer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"signer.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"site\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"site.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"size.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"software_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"software_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.city_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.continent_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.dma_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.latitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.longitude\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.postal_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_code.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.region_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_geo.timezone.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_hostname.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_ips\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_ips.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source_port_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"source_port_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sources\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sources.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_message.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"status_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_msg\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_msg.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sub_rule_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sub_rule_number.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subdomain_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subject\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subject.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"subsystem\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"subsystem.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"suppress_for\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-facility\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-facility.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-file_name.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-host_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-host_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-legacy_msghdr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-legacy_msghdr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-pid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-priority\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-priority.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-sourceip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"syslog-tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"syslog-tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"sysmon_timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"sysmon_timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.groupadd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.gid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.uid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.pid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.program\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.syslog.timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"target_filename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"target_filename.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tc\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tc.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"terminal_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"terminal_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"thread_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timed_out\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timed_out.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_accessed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_accessed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_changed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_changed.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_created.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"times_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"times_modified.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"timestamp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"timestamp.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tld.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tld.subdomain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tls\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tls.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"to\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"to.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"top_level_domain.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"total_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tracker_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tracker_id.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.backend_url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.body_sent.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.frontend_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"traefik.access.geoip.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.geoip.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.http_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.referrer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.remote_ip\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.request_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.response_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.url\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_major\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_minor\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.os_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_agent.patch\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"traefik.access.user_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"trans_depth\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"transaction_id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ttls\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tty.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_parents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_parents.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tunnel_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"tunnel_type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uid.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"unparsed_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"unparsed_version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"up_since\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"up_since.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uri.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uri_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"user_agent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryData\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.binaryDataSize\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"useragent.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"useragent_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"username.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_aslr\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_aslr.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_code_integrity\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_code_integrity.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_dep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_dep.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"uses_seh\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"uses_seh.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_from\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_from.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"valid_till\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"valid_till.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"validation_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"validation_status.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"value.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_additional_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_additional_info.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_major\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_major.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor2.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version_minor3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"version_minor3.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"virtual_host.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_frequency_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"virtual_host_length\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"warning\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"warning.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"width\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"width.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"x_originating_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"xml\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"year\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"z\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"z.keyword\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "notExpandable": true, "timeFieldName": "@timestamp", "title": "*:logstash-beats-*"}, "coreMigrationVersion": "7.16.2", "id": "AWBLHZaBRuBloj96jvrD", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 2287], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ0LDE1XQ=="} +{"attributes": {"columns": ["computer_name", "process_id", "user.name", "event_id", "event_data.Image"], "description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "sort": [["@timestamp", "desc"]], "title": "All Beats Logs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "AWBLMr9vRuBloj96jxp1", "migrationVersion": {"search": "7.9.3"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2289], "type": "search", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Process IDs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Beats - Process IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"process_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWBLN7X2RuBloj96jxxY", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2291], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Computer Names", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Beats - Computer Names\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"computer_name.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWBLNriuRuBloj96jxv3", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2293], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Event IDs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Beats - Event IDs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event_id\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWBLOT8MRuBloj96jx0N", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2295], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Usernames", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"title\":\"Beats - Usernames\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"type\":\"table\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"user.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWBLONJCRuBloj96jxzY", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2297], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Beats - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"title\":{\"text\":\"@timestamp per 30 minutes\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"circlesRadius\":1}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"type\":\"line\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true,\"fittingFunction\":\"linear\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWBLQ2__RuBloj96jyDn", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2299], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzUwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Beats - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Beats - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHHHR8xQT5EBNmq4z7", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "AWBLHZaBRuBloj96jvrD", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2301], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzUxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"match_all\":{}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":44,\"x\":0,\"y\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"computer_name\",\"process_id\",\"user.name\",\"event_id\",\"event_data.Image\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":8,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":8,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":8,\"x\":20,\"y\":0,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":8,\"x\":8,\"y\":0,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "z16.04 - Beats", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "AWBLNS3CRuBloj96jxub", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "AWBLMr9vRuBloj96jxp1", "name": "panel_0", "type": "search"}, {"id": "AWBLNriuRuBloj96jxv3", "name": "panel_1", "type": "visualization"}, {"id": "AWBLN7X2RuBloj96jxxY", "name": "panel_2", "type": "visualization"}, {"id": "AWBLOT8MRuBloj96jx0N", "name": "panel_3", "type": "visualization"}, {"id": "AWBLONJCRuBloj96jxzY", "name": "panel_4", "type": "visualization"}, {"id": "AWBLQ2__RuBloj96jyDn", "name": "panel_5", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_6", "type": "visualization"}, {"id": "AWDHHHR8xQT5EBNmq4z7", "name": "panel_7", "type": "visualization"}], "sort": [1643385898421, 2310], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Connections - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG71xFxQT5EBNmq336", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2312], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzUzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"DNS - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDG9Qx0xQT5EBNmq3_2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2314], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SNMP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHD-LfxQT5EBNmq4iB", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2316], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SIP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHDNS4xQT5EBNmq4dF", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2318], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMB - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SMB - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHDfDkxQT5EBNmq4fQ", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2320], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SMTP - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHDsr0xQT5EBNmq4gw", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2322], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHE-_wxQT5EBNmq4n3", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2324], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Software - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Software - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHEKJUxQT5EBNmq4jW", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ba3d77e0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2326], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzYwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SSH - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHEYk4xQT5EBNmq4k5", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2328], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzYxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"SSL - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHElRWxQT5EBNmq4lz", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2330], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Tunnels - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHFYrqxQT5EBNmq4qT", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2332], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzYzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"Weird - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHGXk-xQT5EBNmq4uf", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2334], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Log Count", "uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}", "version": 1, "visState": "{\"title\":\"X.509 - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "AWDHGklsxQT5EBNmq4wG", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2336], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.category.keyword : \\\"registry\\\" \",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Event.Cat:Registry Logs", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Event.Cat:Registry Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":42}}}}"}, "coreMigrationVersion": "7.16.2", "id": "a0d30200-6405-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2339], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"505d91a5-4f8c-4350-94d6-f6ef79f78ee5": {"columnOrder": ["48488c44-5465-4f80-8fda-7f09c7fa1b71", "8912ace2-fabe-4cb8-9ee7-9fe38a018b83"], "columns": {"48488c44-5465-4f80-8fda-7f09c7fa1b71": {"dataType": "string", "isBucketed": true, "label": "Top values of host.os.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "8912ace2-fabe-4cb8-9ee7-9fe38a018b83", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 3}, "scale": "ordinal", "sourceField": "host.os.name"}, "8912ace2-fabe-4cb8-9ee7-9fe38a018b83": {"dataType": "number", "isBucketed": false, "label": "Unique count of host.name", "operationType": "unique_count", "scale": "ratio", "sourceField": "host.name"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["48488c44-5465-4f80-8fda-7f09c7fa1b71"], "layerId": "505d91a5-4f8c-4350-94d6-f6ef79f78ee5", "layerType": "data", "legendDisplay": "default", "metric": "8912ace2-fabe-4cb8-9ee7-9fe38a018b83", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "donut"}}, "title": "Endgame - Host Operating Systems", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "a2244d00-624b-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-505d91a5-4f8c-4350-94d6-f6ef79f78ee5", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2343], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Top 10 - Total Bytes By Connection", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Connection\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Connection ID\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"left\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\",\"customLabel\":\"Total Bytes\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"uid.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Connection ID\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f1325230-3b0d-11e7-a0fe-29878c6f414a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2345], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Top 10 - Total Bytes By Destination Port", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Connections - Top 10 - Total Bytes By Destination Port\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination Port\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Max total_bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"total_bytes\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_port\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "acd65230-3b0d-11e7-a0fe-29878c6f414a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2347], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Top 10 - Total Bytes By Destination IP", "uiStateJSON": "{}", "version": 1, "visState": "{\"aggs\":[{\"enabled\":true,\"id\":\"1\",\"params\":{\"customLabel\":\"Total Bytes\",\"field\":\"total_bytes\"},\"schema\":\"metric\",\"type\":\"max\"},{\"enabled\":true,\"id\":\"4\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":10},\"schema\":\"segment\",\"type\":\"terms\"},{\"enabled\":true,\"id\":\"5\",\"params\":{\"customLabel\":\"Destination IP Address\",\"field\":\"destination_ip\",\"order\":\"desc\",\"orderBy\":\"1\",\"size\":5},\"schema\":\"group\",\"type\":\"terms\"}],\"listeners\":{},\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Destination IP Address\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"orderBucketsBySum\":false,\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Total Bytes\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Total Bytes\"},\"type\":\"value\"}]},\"title\":\"Connections - Top 10 - Total Bytes By Destination IP\",\"type\":\"histogram\"}"}, "coreMigrationVersion": "7.16.2", "id": "eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2349], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzcwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":71,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":20,\"h\":18,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":18,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":18,\"w\":20,\"h\":20,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":38,\"w\":40,\"h\":33,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":71,\"w\":48,\"h\":35,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":28,\"y\":18,\"w\":20,\"h\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"}]", "timeRestore": false, "title": "Connections - Total Bytes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a2ab0c40-3b0a-11e7-a6f9-5d3fe735ec2b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "f1325230-3b0d-11e7-a0fe-29878c6f414a", "name": "panel_1", "type": "visualization"}, {"id": "acd65230-3b0d-11e7-a0fe-29878c6f414a", "name": "panel_2", "type": "visualization"}, {"id": "41a33c80-3b0d-11e7-a6f9-5d3fe735ec2b", "name": "panel_3", "type": "visualization"}, {"id": "726cc040-48cf-11e8-9576-313be7c6b44b", "name": "panel_4", "type": "visualization"}, {"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "panel_5", "type": "search"}, {"id": "eeafbb70-3b0c-11e7-a6f9-5d3fe735ec2b", "name": "panel_6", "type": "visualization"}], "sort": [1643385898421, 2357], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a5045e20-3bd1-11e7-a3ae-1754b87179c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2359], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzcyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SMB - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMB - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a663e070-4c78-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2361], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SNMP - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "a67546c0-3640-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2363], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc0LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"3895de20-9e00-43b5-b87f-b1c0bfa33b71": {"columnOrder": ["409d0c1c-683e-45b6-ba92-805285d63f55", "04cce9d7-67c1-4fd9-964d-f34dd053e070"], "columns": {"04cce9d7-67c1-4fd9-964d-f34dd053e070": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "409d0c1c-683e-45b6-ba92-805285d63f55": {"dataType": "date", "isBucketed": true, "label": "@timestamp", "operationType": "date_histogram", "params": {"interval": "auto"}, "scale": "interval", "sourceField": "@timestamp"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"registry\" "}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["04cce9d7-67c1-4fd9-964d-f34dd053e070"], "layerId": "3895de20-9e00-43b5-b87f-b1c0bfa33b71", "layerType": "data", "position": "top", "seriesType": "line", "showGridlines": false, "xAccessor": "409d0c1c-683e-45b6-ba92-805285d63f55"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "line", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Event.Cat:Registry Log Count Over Time", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "e09d6340-6cc9-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-3895de20-9e00-43b5-b87f-b1c0bfa33b71", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2367], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc1LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"9643f560-7a46-408c-b61d-ed2a87fc6103": {"columnOrder": ["fdf33737-65bc-4b40-a118-140a43e9b7e5", "3520723b-f0f3-4845-975c-e97380d8124b"], "columns": {"3520723b-f0f3-4845-975c-e97380d8124b": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "fdf33737-65bc-4b40-a118-140a43e9b7e5": {"dataType": "string", "isBucketed": true, "label": "Top values of process.executable", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "3520723b-f0f3-4845-975c-e97380d8124b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 10}, "scale": "ordinal", "sourceField": "process.executable"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": "event.category.keyword : \"registry\" "}, "visualization": {"axisTitlesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "fittingFunction": "None", "gridlinesVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "labelsOrientation": {"x": 0, "yLeft": 0, "yRight": 0}, "layers": [{"accessors": ["3520723b-f0f3-4845-975c-e97380d8124b"], "layerId": "9643f560-7a46-408c-b61d-ed2a87fc6103", "layerType": "data", "seriesType": "bar_horizontal", "xAccessor": "fdf33737-65bc-4b40-a118-140a43e9b7e5"}], "legend": {"isVisible": true, "position": "right"}, "preferredSeriesType": "bar_horizontal", "tickLabelsVisibilitySettings": {"x": true, "yLeft": true, "yRight": true}, "valueLabels": "hide", "yLeftExtent": {"mode": "full"}, "yRightExtent": {"mode": "full"}}}, "title": "Endgame - Registry Event process.executable", "visualizationType": "lnsXY"}, "coreMigrationVersion": "7.16.2", "id": "e9afc350-6cc5-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-9643f560-7a46-408c-b61d-ed2a87fc6103", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2371], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc2LDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"65529737-0abd-4698-a75c-47c2e0934cc4": {"columnOrder": ["4fb772fa-d1e1-4746-9eaf-83e1690feb92", "26daa4f5-0a68-4fae-8385-0804a8d8d42b"], "columns": {"26daa4f5-0a68-4fae-8385-0804a8d8d42b": {"customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "4fb772fa-d1e1-4746-9eaf-83e1690feb92": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "user.name", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "26daa4f5-0a68-4fae-8385-0804a8d8d42b", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "user.name"}}, "incompleteColumns": {}}}}}, "filters": [{"$state": {"store": "appState"}, "meta": {"alias": null, "disabled": false, "indexRefName": "filter-index-pattern-0", "key": "event.category", "negate": false, "params": {"query": "registry"}, "type": "phrase"}, "query": {"match_phrase": {"event.category": "registry"}}}], "query": {"language": "kuery", "query": ""}, "visualization": {"columns": [{"columnId": "4fb772fa-d1e1-4746-9eaf-83e1690feb92"}, {"columnId": "26daa4f5-0a68-4fae-8385-0804a8d8d42b"}], "layerId": "65529737-0abd-4698-a75c-47c2e0934cc4", "layerType": "data"}}, "title": "Endgame - Registry User Name", "visualizationType": "lnsDatatable"}, "coreMigrationVersion": "7.16.2", "id": "c86a8ba0-6e44-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-65529737-0abd-4698-a75c-47c2e0934cc4", "type": "index-pattern"}, {"id": "endgame-*", "name": "filter-index-pattern-0", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2376], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"useMargins\":true,\"syncColors\":false,\"hidePanelTitles\":false}", "panelsJSON": "[{\"version\":\"7.16.0\",\"type\":\"visualization\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":11,\"i\":\"066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\"},\"panelIndex\":\"066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\",\"embeddableConfig\":{\"savedVis\":{\"title\":\"Endgame - Navigation\",\"description\":\"\",\"type\":\"markdown\",\"params\":{\"fontSize\":12,\"openLinksInNewTab\":false,\"markdown\":\"[Admin](/kibana/app/dashboards#/view/6063a9e0-61b2-11ec-864c-8b5450f97635) \\n \\n**Event Category** \\n[Alert](https://PLACEHOLDER/kibana/app/dashboards#/view/0c8e61c0-67fc-11ec-864c-8b5450f97635) | \\n[File](/kibana/app/dashboards#/view/4923ad00-6349-11ec-864c-8b5450f97635) | [Network](/kibana/app/dashboards#/view/49d34770-53b2-11ec-b3ef-6bcc33056a36) | [Process](/kibana/app/dashboards#/view/790991a0-6287-11ec-864c-8b5450f97635) | [Authentication](/kibana/app/dashboards#/view/6c5aaff0-63f6-11ec-864c-8b5450f97635) | [Registry](/kibana/app/dashboards#/view/a6c6c880-63f7-11ec-864c-8b5450f97635)\\n\\n**Endgame** \\n[Endgame Alerts](https://ENDGAMEHOST/alerts/dashboard)\"},\"uiState\":{},\"data\":{\"aggs\":[],\"searchSource\":{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}}},\"enhancements\":{},\"type\":\"visualization\"},\"panelRefName\":\"panel_066310d0-63f3-4cc8-9daa-8c0be5ad5b5f\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":8,\"y\":0,\"w\":10,\"h\":11,\"i\":\"06494306-08f9-440f-a361-d63cbd6176be\"},\"panelIndex\":\"06494306-08f9-440f-a361-d63cbd6176be\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry All Logs \",\"panelRefName\":\"panel_06494306-08f9-440f-a361-d63cbd6176be\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":18,\"y\":0,\"w\":30,\"h\":11,\"i\":\"9461ee7e-d1fd-448b-9094-eff9e2ebdd58\"},\"panelIndex\":\"9461ee7e-d1fd-448b-9094-eff9e2ebdd58\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry Logs Over Time\",\"panelRefName\":\"panel_9461ee7e-d1fd-448b-9094-eff9e2ebdd58\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":11,\"w\":33,\"h\":17,\"i\":\"3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\"},\"panelIndex\":\"3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\",\"embeddableConfig\":{\"hidePanelTitles\":false,\"enhancements\":{}},\"title\":\"Endgame - Registry Event Process\",\"panelRefName\":\"panel_3265c94f-df4b-4a1d-bc7c-64c2e99e72a7\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":33,\"y\":11,\"w\":15,\"h\":17,\"i\":\"ca05c1e6-7d21-4c69-b6be-ab95031f30f9\"},\"panelIndex\":\"ca05c1e6-7d21-4c69-b6be-ab95031f30f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_ca05c1e6-7d21-4c69-b6be-ab95031f30f9\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":0,\"y\":28,\"w\":30,\"h\":17,\"i\":\"5b3b7aed-80c9-4e18-a55a-7ca2841913a1\"},\"panelIndex\":\"5b3b7aed-80c9-4e18-a55a-7ca2841913a1\",\"embeddableConfig\":{\"enhancements\":{},\"hidePanelTitles\":false},\"title\":\"Endgame - Registry Events\",\"panelRefName\":\"panel_5b3b7aed-80c9-4e18-a55a-7ca2841913a1\"},{\"version\":\"7.15.2\",\"type\":\"lens\",\"gridData\":{\"x\":30,\"y\":28,\"w\":18,\"h\":17,\"i\":\"83bb52e5-74b3-459b-8767-78bc47d1ff8d\"},\"panelIndex\":\"83bb52e5-74b3-459b-8767-78bc47d1ff8d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_83bb52e5-74b3-459b-8767-78bc47d1ff8d\"},{\"version\":\"7.15.2\",\"type\":\"search\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":34,\"i\":\"aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\"},\"panelIndex\":\"aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\",\"embeddableConfig\":{\"enhancements\":{},\"columns\":[\"host.name\",\"registry.path\",\"related.user\",\"registry.key\",\"registry.value\"]},\"panelRefName\":\"panel_aa14e2db-4c3d-4a44-ad58-aae071e6ed3f\"}]", "timeRestore": false, "title": "Endgame - Registry", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a6c6c880-63f7-11ec-864c-8b5450f97635", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "754f7380-6d82-11ec-864c-8b5450f97635", "name": "066310d0-63f3-4cc8-9daa-8c0be5ad5b5f:panel_066310d0-63f3-4cc8-9daa-8c0be5ad5b5f", "type": "visualization"}, {"id": "10af1a20-6cc9-11ec-864c-8b5450f97635", "name": "06494306-08f9-440f-a361-d63cbd6176be:panel_06494306-08f9-440f-a361-d63cbd6176be", "type": "lens"}, {"id": "e09d6340-6cc9-11ec-864c-8b5450f97635", "name": "9461ee7e-d1fd-448b-9094-eff9e2ebdd58:panel_9461ee7e-d1fd-448b-9094-eff9e2ebdd58", "type": "lens"}, {"id": "e9afc350-6cc5-11ec-864c-8b5450f97635", "name": "3265c94f-df4b-4a1d-bc7c-64c2e99e72a7:panel_3265c94f-df4b-4a1d-bc7c-64c2e99e72a7", "type": "lens"}, {"id": "c86a8ba0-6e44-11ec-864c-8b5450f97635", "name": "ca05c1e6-7d21-4c69-b6be-ab95031f30f9:panel_ca05c1e6-7d21-4c69-b6be-ab95031f30f9", "type": "lens"}, {"id": "e1e12ab0-6cc5-11ec-864c-8b5450f97635", "name": "5b3b7aed-80c9-4e18-a55a-7ca2841913a1:panel_5b3b7aed-80c9-4e18-a55a-7ca2841913a1", "type": "lens"}, {"id": "8d1f99e0-6e45-11ec-864c-8b5450f97635", "name": "83bb52e5-74b3-459b-8767-78bc47d1ff8d:panel_83bb52e5-74b3-459b-8767-78bc47d1ff8d", "type": "lens"}, {"id": "0359b740-64cc-11ec-864c-8b5450f97635", "name": "aa14e2db-4c3d-4a44-ad58-aae071e6ed3f:panel_aa14e2db-4c3d-4a44-ad58-aae071e6ed3f", "type": "search"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2386], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Strelka - Request - Client", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Strelka - Request - Client\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"request.client.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request.client.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a7ebb450-772c-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2388], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzc5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Data Overview", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Data Overview\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"event.category.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Category\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":false,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":false,\"last_level\":false,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Category\",\"aggType\":\"terms\"},{\"accessor\":2,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"url\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"},\"urlTemplate\":\"/kibana/app/dashboards#/view/30d0ac90-729f-11ea-8dd2-9d8795a1200b?_g=(filters:!(('$state':(store:globalState),meta:(alias:!n,disabled:!f,index:'2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29',key:event.module.keyword,negate:!f,params:(query:{{ value }}),type:phrase),query:(match_phrase:(event.module.keyword:{{ value }})))),refreshInterval:(pause:!t,value:0),time:(from:now%2Fw,to:now%2Fw))&_a=(description:'',filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),panels:!((embeddableConfig:(),gridData:(h:8,i:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,w:9,x:0,y:0),id:'8cfec8c0-6ec2-11ea-9266-1fd14ca6af34',panelIndex:c706b8e5-9d49-4700-a3ea-26e86ac3a4c4,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:'77c5d557-83e4-40b9-9177-388db29d711d',w:16,x:9,y:0),id:d04b5130-6e99-11ea-9266-1fd14ca6af34,panelIndex:'77c5d557-83e4-40b9-9177-388db29d711d',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:8,i:f044ff9c-455a-4085-88c8-92e9ead2bba0,w:23,x:25,y:0),id:d9eb5b30-6ea9-11ea-9266-1fd14ca6af34,panelIndex:f044ff9c-455a-4085-88c8-92e9ead2bba0,type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'54873f75-4452-4938-840d-3a2f50547a88',w:9,x:0,y:8),id:ad398b70-6e9a-11ea-9266-1fd14ca6af34,panelIndex:'54873f75-4452-4938-840d-3a2f50547a88',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'30749cb6-18ad-4069-b18d-5912086fff9c',w:13,x:9,y:8),id:'6b18be30-72a7-11ea-8dd2-9d8795a1200b',panelIndex:'30749cb6-18ad-4069-b18d-5912086fff9c',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'7c498d50-d009-493a-a8c9-c91303ad5556',w:13,x:22,y:8),id:b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'7c498d50-d009-493a-a8c9-c91303ad5556',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:19,i:'2f69e716-e6e9-4595-801d-8f59b7d2c574',w:13,x:35,y:8),id:f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b,panelIndex:'2f69e716-e6e9-4595-801d-8f59b7d2c574',type:visualization,version:'7.6.1'),(embeddableConfig:(),gridData:(h:31,i:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',w:48,x:0,y:27),id:'8b6f3150-72a2-11ea-8dd2-9d8795a1200b',panelIndex:'6ddfd0a2-337e-47d1-8d4c-bc386a4210af',type:search,version:'7.6.1')),query:(language:kuery,query:'*'),timeRestore:!f,title:'Security%20Onion%20-%20Indicator',viewMode:view)\",\"labelTemplate\":\"{{ value }}\"}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true}}"}, "coreMigrationVersion": "7.16.2", "id": "ac6b1720-7559-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2390], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzgwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"observer.name:* OR agent.name:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Log Count By Node ", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Log Count By Node \",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"observer.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"observer.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Node\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "a9fae5c0-6e9b-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2392], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzgxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":8,\"i\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\"},\"panelIndex\":\"e243c0f0-f7cf-453e-8f5c-dc93e4651d69\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":0,\"w\":17,\"h\":8,\"i\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\"},\"panelIndex\":\"5fdac8ff-799a-4d54-8dcb-ee1728d9623d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"126f5365-8829-469d-8349-a08874975584\"},\"panelIndex\":\"126f5365-8829-469d-8349-a08874975584\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":22,\"h\":26,\"i\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\"},\"panelIndex\":\"9c61759c-0b14-433b-bca7-fd22f9a20630\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":8,\"w\":9,\"h\":26,\"i\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\"},\"panelIndex\":\"504e0ba1-08f7-4601-833d-6615d84e8fba\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":8,\"w\":8,\"h\":26,\"i\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\"},\"panelIndex\":\"e3425787-250b-4dad-8244-4c7ba65df3d9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":8,\"w\":9,\"h\":26,\"i\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\"},\"panelIndex\":\"9c133f8f-ca11-4a4b-ac5a-3dfe3b87f20e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":34,\"w\":48,\"h\":30,\"i\":\"3c89322f-4209-40ba-bbe7-5c5fb45420ac\"},\"panelIndex\":\"3c89322f-4209-40ba-bbe7-5c5fb45420ac\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Home", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "a8411b30-6d03-11ea-b301-3d6c35840645", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "ac6b1720-7559-11ea-9565-7315f4ee5cac", "name": "panel_3", "type": "visualization"}, {"id": "ad398b70-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_4", "type": "visualization"}, {"id": "8b065a80-6eca-11ea-9266-1fd14ca6af34", "name": "panel_5", "type": "visualization"}, {"id": "a9fae5c0-6e9b-11ea-9266-1fd14ca6af34", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2401], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzgyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNS - Response Code Name (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns.response.code_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dns.response.code_name.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - DNS - Response Code Name (Donut)\"}"}, "coreMigrationVersion": "7.16.2", "id": "a9bd4090-72b9-11ea-8dd2-9d8795a1200b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2403], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzgzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\n \"query\": {\n \"language\": \"kuery\",\n \"query\": \"\"\n },\n \"filter\": []\n}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Osquery - Query Results Count", "uiStateJSON": "{\n \"vis\": {\n \"params\": {\n \"sort\": {\n \"columnIndex\": null,\n \"direction\": null\n }\n }\n }\n}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Query Results\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.hostname.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.live_query.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Live Query Pivot\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"result.endpoint_ip1.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Endpoint Primary IP\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"showToolbar\":true},\"title\":\"Security Onion - Osquery - Query Results Count\"}"}, "coreMigrationVersion": "7.16.2", "id": "ab47a590-afcc-11ea-b262-353d451b125b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9eed5fc0-afcb-11ea-b262-353d451b125b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2405], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.6.1\",\"gridData\":{\"h\":8,\"i\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"3919aa4b-bef6-4545-a780-484bae2df9ee\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"}]", "timeRestore": false, "title": "Security Onion - Users", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "abbe1140-72c7-11ea-8dd2-9d8795a1200b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}], "sort": [1643385898421, 2407], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Dataset By Node", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Dataset By Node\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.dataset.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "abffa080-6ec9-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2409], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f5166880-374f-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2411], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Request Path", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Request Path\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"request_path.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Request Path\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "dddb4430-3752-11e7-b74a-f5057991ccd2", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2413], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SIP - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SIP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "dfd1dc00-6e24-11e7-a261-55504638cf3b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2415], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzg5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":48,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":72,\"w\":16,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":72,\"w\":16,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":12,\"h\":16,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":96,\"w\":48,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":48,\"w\":28,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":24,\"w\":16,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":48,\"w\":20,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"asc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":12,\"h\":16,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":120,\"w\":48,\"h\":30,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":16,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":72,\"w\":16,\"h\":24,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":24,\"w\":24,\"h\":24,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]", "timeRestore": false, "title": "z16.04 - Bro - SIP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ad3c0830-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "5393c710-3640-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "f5166880-374f-11e7-b74a-f5057991ccd2", "name": "panel_2", "type": "visualization"}, {"id": "04e1aea0-3750-11e7-b74a-f5057991ccd2", "name": "panel_3", "type": "visualization"}, {"id": "90bf0a80-3750-11e7-b74a-f5057991ccd2", "name": "panel_4", "type": "visualization"}, {"id": "dddb4430-3752-11e7-b74a-f5057991ccd2", "name": "panel_5", "type": "visualization"}, {"id": "5e36c370-3753-11e7-b74a-f5057991ccd2", "name": "panel_6", "type": "visualization"}, {"id": "73f663f0-3753-11e7-b74a-f5057991ccd2", "name": "panel_7", "type": "visualization"}, {"id": "930b1600-3753-11e7-b74a-f5057991ccd2", "name": "panel_8", "type": "visualization"}, {"id": "2db47070-3754-11e7-b74a-f5057991ccd2", "name": "panel_9", "type": "visualization"}, {"id": "9e131480-342e-11e7-9e93-53b62e1857b2", "name": "panel_10", "type": "search"}, {"id": "1ef5c230-6e24-11e7-a261-55504638cf3b", "name": "panel_11", "type": "visualization"}, {"id": "dfd1dc00-6e24-11e7-a261-55504638cf3b", "name": "panel_12", "type": "visualization"}, {"id": "AWDHDNS4xQT5EBNmq4dF", "name": "panel_13", "type": "visualization"}, {"id": "0291dba0-4c78-11e8-9b0a-f1d33346f773", "name": "panel_14", "type": "visualization"}], "sort": [1643385898421, 2431], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzkwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.module:zeek AND event.dataset:file\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"257c130f-3673-410c-9f60-d67deb13b580\"},\"panelIndex\":\"257c130f-3673-410c-9f60-d67deb13b580\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":7,\"i\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\"},\"panelIndex\":\"de6206b4-7adb-44a0-ae00-2d28274478c8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":7,\"i\":\"93532ba0-f446-4a97-8783-a04dd4347485\"},\"panelIndex\":\"93532ba0-f446-4a97-8783-a04dd4347485\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":7,\"w\":8,\"h\":19,\"i\":\"a2af856c-7069-46b2-974c-e8b9054af929\"},\"panelIndex\":\"a2af856c-7069-46b2-974c-e8b9054af929\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":7,\"w\":9,\"h\":19,\"i\":\"4a3de026-5001-46a6-af20-78db885bd4bb\"},\"panelIndex\":\"4a3de026-5001-46a6-af20-78db885bd4bb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":17,\"y\":7,\"w\":17,\"h\":19,\"i\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\"},\"panelIndex\":\"74071657-abfc-49e7-a0c3-e318b72a9d4c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":7,\"w\":14,\"h\":19,\"i\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\"},\"panelIndex\":\"2379029c-c749-4804-91df-3d9be3fc4f8a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":21,\"h\":19,\"i\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\"},\"panelIndex\":\"0e36a0b5-5905-43c6-8ae1-f3eb348571a0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":21,\"y\":26,\"w\":8,\"h\":19,\"i\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\"},\"panelIndex\":\"99813eab-a19b-47d2-a8ee-8bcb667eedbf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":26,\"w\":10,\"h\":19,\"i\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\"},\"panelIndex\":\"18a734f4-78a1-4d84-9f7f-7c5aa6d3b1c2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":39,\"y\":26,\"w\":9,\"h\":19,\"i\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\"},\"panelIndex\":\"c51df9f8-9010-4cae-9c7c-76ca7af98f13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":45,\"w\":48,\"h\":24,\"i\":\"226350dd-3afe-4135-a8da-71db63287a95\"},\"panelIndex\":\"226350dd-3afe-4135-a8da-71db63287a95\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "Security Onion - Zeek Files", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ad4d5d60-75f4-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "bcf25e30-75f1-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "e8d35c50-75f3-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "09fc6ef0-7732-11ea-bee5-af7f7c7b8e05", "name": "panel_7", "type": "visualization"}, {"id": "2fc4bea0-7730-11ea-bee5-af7f7c7b8e05", "name": "panel_8", "type": "visualization"}, {"id": "49cfe850-772c-11ea-bee5-af7f7c7b8e05", "name": "panel_9", "type": "visualization"}, {"id": "efc25540-75f1-11ea-9565-7315f4ee5cac", "name": "panel_10", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_11", "type": "search"}], "sort": [1643385898421, 2444], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Destination IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Destination IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2446], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SSL - Destination Country (Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SSL - Destination Country (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"destination_geo.country_name.keyword: Descending\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ae959820-365c-11e7-8bd0-1db2c55fb7a1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2448], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0MzkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - TLS - True/False (Vertical Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"SMTP - TLS - True/False (Vertical Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"TLS\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "aeb71cc0-6e29-11e7-8b76-75eee0095daa", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2450], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Initial Systems/Queries\",\"disabled\":true,\"key\":\"osquery.counter\",\"negate\":true,\"params\":{\"query\":0,\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"0\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match\":{\"osquery.counter\":{\"query\":0,\"type\":\"phrase\"}}}},{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":\"Servers Only\",\"disabled\":true,\"key\":\"osquery.codename\",\"negate\":false,\"params\":{\"query\":\"server\",\"type\":\"phrase\"},\"type\":\"phrase\",\"value\":\"server\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index\"},\"query\":{\"match\":{\"osquery.codename\":{\"query\":\"server\",\"type\":\"phrase\"}}}}],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":\"*\"}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":64,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":17,\"h\":11,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":29,\"w\":40,\"h\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Logs\",\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":8,\"y\":11,\"w\":40,\"h\":18,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Sensitive Permissions\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":25,\"y\":0,\"w\":23,\"h\":11,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Chrome Extensions - Changes by Hostname\",\"panelRefName\":\"panel_4\"}]", "timeRestore": false, "title": "osquery - Chrome Extensions", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "af0ea750-18d3-11e9-932c-d12d2cf4ee95", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[1].meta.index", "type": "index-pattern"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "71538370-18d5-11e9-932c-d12d2cf4ee95", "name": "panel_1", "type": "visualization"}, {"id": "0eee4360-18d4-11e9-932c-d12d2cf4ee95", "name": "panel_2", "type": "search"}, {"id": "78cf8bf0-1a59-11e9-ac0b-cb0ba10141ab", "name": "panel_3", "type": "visualization"}, {"id": "04f86530-1a59-11e9-ac0b-cb0ba10141ab", "name": "panel_4", "type": "visualization"}], "sort": [1643385898421, 2458], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Osquery - Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Osquery - Name\"}"}, "coreMigrationVersion": "7.16.2", "id": "af139720-afcb-11ea-b262-353d451b125b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2460], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DHCP - Message Type (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dhcp.message_types.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message Type\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - DHCP - Message Type (Donut)\"}"}, "coreMigrationVersion": "7.16.2", "id": "af26c6e0-96e6-11ea-814e-bb515e873c2c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2462], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"SMTP\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c47e2a10-39a1-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2464], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SMTP - Destination Country (Donut Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SMTP - Destination Country (Donut Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "dfe23030-39a1-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2466], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0Mzk5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - TLS (Pie Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"SMTP - TLS (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tls.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "c3bb32c0-39a2-11e7-8472-0151e5b2b475", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2468], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDAwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f18a0480-3bd0-11e7-9c09-4f161b0766dd", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2470], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDAxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - User Agent", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - User Agent\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"useragent.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d776e510-6e28-11e7-8b76-75eee0095daa", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2472], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDAyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SMTP - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SMTP - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "d5aa6d00-6e29-11e7-8b76-75eee0095daa", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2474], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDAzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":28,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":80,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":80,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":56,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":56,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":28,\"x\":0,\"y\":104,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":8,\"y\":32,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":20,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":20,\"i\":\"18\"},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"}]", "timeRestore": false, "title": "z16.04 - Bro - SMTP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b10a9c60-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "7c922990-3640-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "c47e2a10-39a1-11e7-8472-0151e5b2b475", "name": "panel_2", "type": "visualization"}, {"id": "dfe23030-39a1-11e7-8472-0151e5b2b475", "name": "panel_3", "type": "visualization"}, {"id": "73b1b240-39a2-11e7-8472-0151e5b2b475", "name": "panel_4", "type": "visualization"}, {"id": "96767400-39a2-11e7-8472-0151e5b2b475", "name": "panel_5", "type": "visualization"}, {"id": "c3bb32c0-39a2-11e7-8472-0151e5b2b475", "name": "panel_6", "type": "visualization"}, {"id": "f18a0480-3bd0-11e7-9c09-4f161b0766dd", "name": "panel_7", "type": "visualization"}, {"id": "a5045e20-3bd1-11e7-a3ae-1754b87179c0", "name": "panel_8", "type": "visualization"}, {"id": "a6cea530-342e-11e7-9e93-53b62e1857b2", "name": "panel_9", "type": "search"}, {"id": "d776e510-6e28-11e7-8b76-75eee0095daa", "name": "panel_10", "type": "visualization"}, {"id": "53beb0d0-6e29-11e7-8b76-75eee0095daa", "name": "panel_11", "type": "visualization"}, {"id": "aeb71cc0-6e29-11e7-8b76-75eee0095daa", "name": "panel_12", "type": "visualization"}, {"id": "d5aa6d00-6e29-11e7-8b76-75eee0095daa", "name": "panel_13", "type": "visualization"}, {"id": "AWDHDsr0xQT5EBNmq4gw", "name": "panel_14", "type": "visualization"}], "sort": [1643385898421, 2490], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNP3 - IIN", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DNP3 - IIN\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.iin: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.iin\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"IIN\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f991b6d0-75b8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2492], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:dnp3\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\"},\"panelIndex\":\"728d0151-5dc6-429d-9b14-b457ab73d3fd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":15,\"h\":8,\"i\":\"1b99097d-a957-4163-9810-263a0e653c18\"},\"panelIndex\":\"1b99097d-a957-4163-9810-263a0e653c18\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":8,\"i\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\"},\"panelIndex\":\"43bb3cf4-ee4a-4eba-8eea-8e133957fd48\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":8,\"h\":19,\"i\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\"},\"panelIndex\":\"87f23747-38c9-4d15-a85b-8beff66abaf4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\"},\"panelIndex\":\"d10ae5ac-6400-4a2c-a376-e6e74ed529ad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":8,\"w\":12,\"h\":19,\"i\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\"},\"panelIndex\":\"a9916c8f-c82b-413d-8561-64ce0d68d3b8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":20,\"h\":19,\"i\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\"},\"panelIndex\":\"04426d00-3313-40eb-a0c9-2541a7ea99f3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":28,\"i\":\"f36f0fec-ab1e-4aea-84ea-4cf0fedcfffc\"},\"panelIndex\":\"f36f0fec-ab1e-4aea-84ea-4cf0fedcfffc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - DNP3", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b1f52180-755a-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "f991b6d0-75b8-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "214793c0-75b9-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2501], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RFB - Authentication Method", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RFB - Authentication Method\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.authentication.method.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.authentication.method.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Method\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b2053990-75c7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2503], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:kerberos\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":14,\"h\":9,\"i\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\"},\"panelIndex\":\"caa0aaa2-ed03-47b4-9a9f-c0f9b8d50da9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":14,\"y\":0,\"w\":15,\"h\":9,\"i\":\"e0e4a50d-887b-472b-a790-302966fb6f49\"},\"panelIndex\":\"e0e4a50d-887b-472b-a790-302966fb6f49\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\"},\"panelIndex\":\"5cca2c4b-7299-4122-a3d5-3637ef23dc5d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":10,\"h\":19,\"i\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\"},\"panelIndex\":\"aa944a94-288e-490f-9e04-f5b3bc2cf19f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":9,\"w\":10,\"h\":19,\"i\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\"},\"panelIndex\":\"ebc359a7-3dce-4e7d-bd70-355cc8099437\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":9,\"w\":11,\"h\":19,\"i\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\"},\"panelIndex\":\"251dacac-b4c5-481a-9e41-8173e9bc27ab\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":31,\"y\":9,\"w\":7,\"h\":19,\"i\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\"},\"panelIndex\":\"1a78a61c-7b0a-425f-ade8-bcbb302a2585\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":38,\"y\":9,\"w\":10,\"h\":19,\"i\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\"},\"panelIndex\":\"eba2e210-8b36-41a7-8ac5-7d63cfc022e1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":29,\"i\":\"13a216e9-1e56-4069-a61a-238ff604a18b\"},\"panelIndex\":\"13a216e9-1e56-4069-a61a-238ff604a18b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - Kerberos", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b207ab90-75bc-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "c879ad60-72a1-11ea-8dd2-9d8795a1200b", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "0ecc7310-75bd-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "2d73e460-75bd-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "48331f00-75bd-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 2513], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":104,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "z16.04 - Bro - SMB", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b3a53710-3aaa-11e7-8b17-0d8709b02c80", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "19849f30-3aab-11e7-8b17-0d8709b02c80", "name": "panel_0", "type": "search"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "85e40a70-3aac-11e7-8b17-0d8709b02c80", "name": "panel_2", "type": "visualization"}, {"id": "15b4e7a0-3aad-11e7-8b17-0d8709b02c80", "name": "panel_3", "type": "visualization"}, {"id": "31f5e040-3aad-11e7-8b17-0d8709b02c80", "name": "panel_4", "type": "visualization"}, {"id": "6f883480-3aad-11e7-8b17-0d8709b02c80", "name": "panel_5", "type": "visualization"}, {"id": "60384e00-3aaf-11e7-a83b-b1b4da7d15f4", "name": "panel_6", "type": "visualization"}, {"id": "72f0f010-3aaf-11e7-a83b-b1b4da7d15f4", "name": "panel_7", "type": "visualization"}, {"id": "306c4330-4175-11e7-a0f7-47f4c03e3306", "name": "panel_8", "type": "visualization"}, {"id": "AWDHDfDkxQT5EBNmq4fQ", "name": "panel_9", "type": "visualization"}, {"id": "a663e070-4c78-11e8-9b0a-f1d33346f773", "name": "panel_10", "type": "visualization"}], "sort": [1643385898421, 2525], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDA5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Responder Bytes", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Responder Bytes\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"respond_bytes\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"_term\",\"customLabel\":\"Responder Bytes\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "b50912f0-366f-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2527], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDEwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Tunnels - Type", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Tunnels - Type\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"tunnel.type.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Type\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b6120810-75ef-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2529], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDExLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Connections - Source - Responder Bytes ( Tile Map)", "uiStateJSON": "{\"mapZoom\":3,\"mapCenter\":[39.70718665682654,-44.912109375]}", "version": 1, "visState": "{\"title\":\"Connections - Source - Responder Bytes ( Tile Map)\",\"type\":\"tile_map\",\"params\":{\"mapType\":\"Scaled Circle Markers\",\"isDesaturated\":true,\"addTooltip\":true,\"heatMaxZoom\":0,\"heatMinOpacity\":0.1,\"heatRadius\":25,\"heatBlur\":15,\"heatNormalizeData\":true,\"legendPosition\":\"bottomright\",\"mapZoom\":2,\"mapCenter\":[0,0],\"wms\":{\"enabled\":false,\"url\":\"https://basemap.nationalmap.gov/arcgis/services/USGSTopo/MapServer/WMSServer\",\"options\":{\"version\":\"1.3.0\",\"layers\":\"0\",\"format\":\"image/png\",\"transparent\":true,\"attribution\":\"Maps provided by USGS\",\"styles\":\"\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"cardinality\",\"schema\":\"metric\",\"params\":{\"field\":\"respond_bytes\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"geohash_grid\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.location\",\"autoPrecision\":true,\"useGeocentroid\":true,\"precision\":2}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2531], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDEyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Source - Responder Bytes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b65775e0-46cb-11e7-946f-1bfb1be7c36b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "f3bc9fa0-46cb-11e7-946f-1bfb1be7c36b", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 2534], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDEzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SNMP - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e8511600-36b8-11e7-9786-41a1d72e15ad", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2536], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SNMP - Session Duration", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SNMP - Session Duration\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"duration\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Duration\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e47015d0-36b9-11e7-9786-41a1d72e15ad", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2538], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":24,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":32,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - SNMP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b65c2710-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "a67546c0-3640-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "e8511600-36b8-11e7-9786-41a1d72e15ad", "name": "panel_2", "type": "visualization"}, {"id": "0defabb0-36b9-11e7-9786-41a1d72e15ad", "name": "panel_3", "type": "visualization"}, {"id": "e47015d0-36b9-11e7-9786-41a1d72e15ad", "name": "panel_4", "type": "visualization"}, {"id": "2a3ae810-36ba-11e7-9786-41a1d72e15ad", "name": "panel_5", "type": "visualization"}, {"id": "b12150a0-342e-11e7-9e93-53b62e1857b2", "name": "panel_6", "type": "search"}, {"id": "7dc62970-6e2a-11e7-8b76-75eee0095daa", "name": "panel_7", "type": "visualization"}, {"id": "AWDHD-LfxQT5EBNmq4iB", "name": "panel_8", "type": "visualization"}, {"id": "83a91450-4c79-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 2549], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSL - Validation Status", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - SSL - Validation Status\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.validation_status.keyword: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"ssl.validation_status.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Status\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "b8371250-75ec-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2551], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:radius\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\"},\"panelIndex\":\"005ac000-9db8-4310-97d5-4574cdaf0e49\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":9,\"i\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\"},\"panelIndex\":\"a65d1358-9fa9-4457-8a46-5790a748d1fa\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":9,\"i\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\"},\"panelIndex\":\"d38d991e-53e4-4b71-8e3f-c0d4b0d454da\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":8,\"h\":19,\"i\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\"},\"panelIndex\":\"9304c1a2-e55f-4f51-bd04-d15892b754a4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":9,\"w\":8,\"h\":19,\"i\":\"7075ea4f-e935-470c-9329-9a0b15202385\"},\"panelIndex\":\"7075ea4f-e935-470c-9329-9a0b15202385\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":9,\"w\":8,\"h\":19,\"i\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\"},\"panelIndex\":\"91a90e9d-71f7-484c-a561-6aef6a3b8f09\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":9,\"w\":9,\"h\":19,\"i\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\"},\"panelIndex\":\"9058f9ee-39d1-4e2b-a99b-ed4c2fb26efd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":19,\"i\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\"},\"panelIndex\":\"766f8f9b-3f31-47d8-9734-442fc1fcff84\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":29,\"i\":\"49fd1168-f7ab-4759-a92c-f2699389678e\"},\"panelIndex\":\"49fd1168-f7ab-4759-a92c-f2699389678e\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - RADIUS", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "b9769e60-75c4-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "767c89f0-af4c-11ea-b262-353d451b125b", "name": "panel_5", "type": "visualization"}, {"id": "0ca071b0-75c5-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "27ab8260-75c5-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 2561], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Connections - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination Port\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "bc7fbe00-4a44-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2563], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDE5LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.module:osquery\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":0,\"w\":7,\"h\":7,\"i\":\"7f9eaa30-b358-4027-a312-249defe273c4\"},\"panelIndex\":\"7f9eaa30-b358-4027-a312-249defe273c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":7,\"y\":0,\"w\":17,\"h\":7,\"i\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\"},\"panelIndex\":\"ca041a33-b29f-4ce6-8762-2dd86a9c27a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":7,\"i\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\"},\"panelIndex\":\"4e6cdaec-ad6d-46b2-abdc-7383382635c7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":7,\"w\":48,\"h\":16,\"i\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\"},\"panelIndex\":\"fae63e28-6a3c-4641-94fd-e5b033ac55b9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.2\",\"gridData\":{\"x\":0,\"y\":23,\"w\":48,\"h\":31,\"i\":\"91e35690-24ec-4a13-b791-6146c05a2285\"},\"panelIndex\":\"91e35690-24ec-4a13-b791-6146c05a2285\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]", "timeRestore": false, "title": "Security Onion - Osquery", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "bf7cf8d0-7732-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "df50eba0-6ec0-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "ab47a590-afcc-11ea-b262-353d451b125b", "name": "panel_3", "type": "visualization"}, {"id": "a866be10-0e45-11eb-a255-e1e8e85e3571", "name": "panel_4", "type": "search"}], "sort": [1643385898421, 2569], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDIwLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Software - Log Count Over Time", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Software - Log Count Over Time\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "ba3d77e0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2571], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDIxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":40,\"x\":0,\"y\":44,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"name\",\"software_type\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":36,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"}]", "timeRestore": false, "title": "z16.04 - Bro - Software", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c2c99c30-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "da4cc2c0-3640-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "ba3d77e0-342e-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "AWDHEKJUxQT5EBNmq4jW", "name": "panel_3", "type": "visualization"}, {"id": "9b0f6a80-4c7a-11e8-9b0a-f1d33346f773", "name": "panel_4", "type": "visualization"}], "sort": [1643385898421, 2577], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDIyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "Connections - Protocol (Bar Chart)", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Connections - Protocol (Bar Chart)\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100,\"filter\":true},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Protocol\"},\"type\":\"category\"}],\"defaultYExtents\":false,\"drawLinesBetweenPoints\":true,\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"interpolate\":\"linear\",\"legendPosition\":\"right\",\"radiusRatio\":9,\"scale\":\"linear\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\",\"circlesRadius\":1}],\"setYExtents\":false,\"showCircles\":true,\"times\":[],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}],\"type\":\"histogram\",\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"isVislibVis\":true,\"detailedTooltip\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"protocol.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c3152010-3673-11e7-8c78-e3086faf385c", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2579], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDIzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - MySQL - Success", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - MySQL - Success\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"mysql.success\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ec40c5e0-75c0-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2581], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event.dataset:mysql\",\"language\":\"kuery\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":9,\"i\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\"},\"panelIndex\":\"b08e3120-b482-4817-b3e9-f521f5acd8f2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":9,\"i\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\"},\"panelIndex\":\"e23b2681-5eae-4de6-8933-ba755508ec5b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":9,\"i\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\"},\"panelIndex\":\"53e06ed2-d64f-46dc-b864-5b884a8c53dc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":9,\"w\":9,\"h\":18,\"i\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\"},\"panelIndex\":\"2bfa498b-d0a8-48ee-9a47-bcf288127d2a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":9,\"w\":9,\"h\":18,\"i\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\"},\"panelIndex\":\"e6a27aaf-ef8d-41a3-aebc-9c26ab2dc189\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":9,\"w\":15,\"h\":18,\"i\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\"},\"panelIndex\":\"e2f6f286-c4ba-4642-b650-366aca2c3d2d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":33,\"y\":9,\"w\":15,\"h\":18,\"i\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\"},\"panelIndex\":\"f84a5dbd-d99c-4c24-895f-18f1d419af93\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":16,\"i\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\"},\"panelIndex\":\"3b2e66eb-aa46-4363-b8ad-efd564b95279\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":43,\"w\":48,\"h\":29,\"i\":\"fb7962e7-1108-429e-a623-8ece03931e4a\"},\"panelIndex\":\"fb7962e7-1108-429e-a623-8ece03931e4a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "Security Onion - MySQL", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c3ced6d0-75be-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "ec40c5e0-75c0-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "1f306f60-75c0-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "3af496e0-75c0-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_8", "type": "search"}], "sort": [1643385898421, 2591], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2593], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Bro - Syslog - Protocol", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Bro - Syslog - Protocol\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"protocol.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Protocol\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2595], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":8,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":28,\"h\":24,\"x\":8,\"y\":8,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - Bro - Syslog", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c4bbe040-76b3-11e7-ba96-cba76a1e264d", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "92b202e0-76b4-11e7-94e1-3d2ec4e57ed9", "name": "panel_1", "type": "visualization"}, {"id": "269ca380-76b4-11e7-8c3e-cfcdd8c95d87", "name": "panel_2", "type": "search"}, {"id": "6c60a280-76b5-11e7-94e1-3d2ec4e57ed9", "name": "panel_3", "type": "visualization"}, {"id": "ae4e88b0-76b5-11e7-94e1-3d2ec4e57ed9", "name": "panel_4", "type": "visualization"}, {"id": "ca9ffc10-76b5-11e7-94e1-3d2ec4e57ed9", "name": "panel_5", "type": "visualization"}, {"id": "e9d5ae30-76b6-11e7-94e1-3d2ec4e57ed9", "name": "panel_6", "type": "visualization"}, {"id": "346e5c30-76b7-11e7-94e1-3d2ec4e57ed9", "name": "panel_7", "type": "visualization"}, {"id": "AWDHE-_wxQT5EBNmq4n3", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 2605], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSH - Authentication Success", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"SSH - Authentication Success\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Authentication Success\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"authentication_success.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Authentication Success\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "dcea2790-6e33-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2607], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDI5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SSH -Server", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSH -Server\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e64833a0-4c7b-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2609], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDMwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":56,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":8,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":56,\"w\":48,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":28,\"h\":24,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - SSH", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c6ccfc00-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "09457310-3641-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "8a60eb50-365f-11e7-8c78-e3086faf385c", "name": "panel_2", "type": "visualization"}, {"id": "9a33f9a0-365f-11e7-8c78-e3086faf385c", "name": "panel_3", "type": "visualization"}, {"id": "c33e7600-342e-11e7-9e93-53b62e1857b2", "name": "panel_4", "type": "search"}, {"id": "54d78f50-6e33-11e7-9a19-a5996f8250c6", "name": "panel_5", "type": "visualization"}, {"id": "dcea2790-6e33-11e7-9a19-a5996f8250c6", "name": "panel_6", "type": "visualization"}, {"id": "2bbdc020-6e34-11e7-9a19-a5996f8250c6", "name": "panel_7", "type": "visualization"}, {"id": "AWDHEYk4xQT5EBNmq4k5", "name": "panel_8", "type": "visualization"}, {"id": "e64833a0-4c7b-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 2620], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDMxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Count", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":false},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c7484350-6eb1-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2622], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDMyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Zeek - Notice Message", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Zeek - Notice Message\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.message.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"notice.message.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Message\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c8039090-7a84-11ea-9d13-57f5db13d1ed", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2624], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDMzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RFB - Share Flag", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - RFB - Share Flag\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"rfb.share_flag\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d5e72b20-75c7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2626], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - RFB - Desktop Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - RFB - Desktop Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rfb.desktop.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rfb.desktop.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Desktop Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "fe62c910-75c7-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2628], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:rfb\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\"},\"panelIndex\":\"f64f888f-f9bb-4be1-ab75-80d2a11303ed\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"0e12fa96-b29d-4815-ae19-b6e894948597\"},\"panelIndex\":\"0e12fa96-b29d-4815-ae19-b6e894948597\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\"},\"panelIndex\":\"7c1a7e05-c37b-4f81-b6b6-b30cfa0897e2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\"},\"panelIndex\":\"c1bb39f4-4d9f-4154-a131-65e727fc0049\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\"},\"panelIndex\":\"e51c88d1-a11a-4d5f-b5a7-f6ac79b23054\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":14,\"h\":19,\"i\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\"},\"panelIndex\":\"b9412112-bc5a-4b16-ba5e-ded11a0e299d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":8,\"w\":16,\"h\":19,\"i\":\"edfbec77-b174-40ac-9f11-776da22fe82d\"},\"panelIndex\":\"edfbec77-b174-40ac-9f11-776da22fe82d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":24,\"h\":15,\"i\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\"},\"panelIndex\":\"d2d1ebcb-83a9-44ca-80f2-2f0fc2abcecf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":27,\"w\":12,\"h\":15,\"i\":\"aedad86f-ec5e-4330-bab0-468351eb8355\"},\"panelIndex\":\"aedad86f-ec5e-4330-bab0-468351eb8355\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":27,\"w\":12,\"h\":15,\"i\":\"8092b313-2e40-47e4-96a2-51086f98e53f\"},\"panelIndex\":\"8092b313-2e40-47e4-96a2-51086f98e53f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":42,\"w\":48,\"h\":29,\"i\":\"630311aa-6915-4543-a10a-2677f3c2f96a\"},\"panelIndex\":\"630311aa-6915-4543-a10a-2677f3c2f96a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - RFB", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c8b3c360-75c6-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "b2053990-75c7-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "d5e72b20-75c7-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "fe62c910-75c7-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "5dcf09e0-75c8-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "316e90a0-75c8-11ea-9565-7315f4ee5cac", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 2640], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connection Count", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Connection Count\",\"type\":\"metric\",\"params\":{\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"type\":\"range\",\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":40}},\"dimensions\":{\"metrics\":[{\"type\":\"vis_dimension\",\"accessor\":0,\"format\":{\"id\":\"number\",\"params\":{}}}]},\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\"},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}"}, "coreMigrationVersion": "7.16.2", "id": "c94e2aa0-6e9f-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2642], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:tunnel\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"19aef080-5875-4182-81a8-2a6639c75489\"},\"panelIndex\":\"19aef080-5875-4182-81a8-2a6639c75489\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\"},\"panelIndex\":\"70939be7-5bb9-4d13-ab89-683b3eda7a98\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"21848a06-ca96-4869-b069-7524caf3ae06\"},\"panelIndex\":\"21848a06-ca96-4869-b069-7524caf3ae06\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":10,\"h\":19,\"i\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\"},\"panelIndex\":\"8020a914-8f9f-4bd6-be32-1c6afa27f9e4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":10,\"y\":8,\"w\":10,\"h\":19,\"i\":\"9f72f316-c3a2-4658-8d03-932fa590e216\"},\"panelIndex\":\"9f72f316-c3a2-4658-8d03-932fa590e216\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":20,\"y\":8,\"w\":9,\"h\":19,\"i\":\"fa1bc43a-2be3-4699-97af-677bded82273\"},\"panelIndex\":\"fa1bc43a-2be3-4699-97af-677bded82273\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":8,\"w\":19,\"h\":19,\"i\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\"},\"panelIndex\":\"7c522eab-36bc-4933-abea-29a4c4a4f918\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":29,\"i\":\"b7799f8a-60c5-4629-9acd-9bbe7ebbac2a\"},\"panelIndex\":\"b7799f8a-60c5-4629-9acd-9bbe7ebbac2a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]", "timeRestore": false, "title": "Security Onion - Tunnels", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "c962dd60-75ed-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "b6120810-75ef-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "search"}], "sort": [1643385898421, 2651], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"Weird - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showMeticsAtAllLevels\":false,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"name.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Type\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Source IP Address\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_ip\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Destination IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "ca3e57d0-4172-11e7-9850-b78558d0ac17", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2653], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDM5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - DNP3 - FC Reply", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - DNP3 - FC Reply\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"dnp3.fc_reply.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"dnp3.fc_reply.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"FC Reply\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "cb29fbe0-75b8-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2655], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"*\",\"language\":\"lucene\"}}"}, "optionsJSON": "{\"darkTheme\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":20,\"w\":24,\"h\":20,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":12,\"y\":0,\"w\":24,\"h\":20,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":40,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"x\":0,\"y\":40,\"w\":48,\"h\":24,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_3\"}]", "timeRestore": false, "title": "Connections - Top Source IPs", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "cb367060-3b04-11e7-a83b-b1b4da7d15f4", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8261cf00-366e-11e7-8c78-e3086faf385c", "name": "panel_0", "type": "visualization"}, {"id": "28c27f80-3b05-11e7-a83b-b1b4da7d15f4", "name": "panel_1", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_2", "type": "visualization"}, {"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "panel_3", "type": "search"}], "sort": [1643385898421, 2660], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQxLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"851cf638-4ae4-45ad-b7ad-e97c0926b6a3": {"columnOrder": ["558ae3ab-245f-4076-9b88-155e26219823", "01fd47d1-6f20-44f0-afb6-2850548061f8"], "columns": {"01fd47d1-6f20-44f0-afb6-2850548061f8": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "558ae3ab-245f-4076-9b88-155e26219823": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Endgame - Event Actions", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "01fd47d1-6f20-44f0-afb6-2850548061f8", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.action"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["558ae3ab-245f-4076-9b88-155e26219823"], "layerId": "851cf638-4ae4-45ad-b7ad-e97c0926b6a3", "layerType": "data", "legendDisplay": "show", "metric": "01fd47d1-6f20-44f0-afb6-2850548061f8", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "pie"}}, "title": "Endgame - Event Actions Graph", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "cb421a30-6252-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-851cf638-4ae4-45ad-b7ad-e97c0926b6a3", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2664], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Source IP Address", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Source IP Address\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_ip\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"IP Address\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "db570800-365a-11e7-8bd0-1db2c55fb7a1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2666], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "SSL - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f0700840-365a-11e7-8bd0-1db2c55fb7a1", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2668], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "SSL - Summary", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"SSL - Summary\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"server_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Server Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_common_name.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Common Name\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"validation_status.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Validation Status\"}},{\"id\":\"5\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"version.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"TLS Version\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ebec2ea0-4c7c-11e8-9b0a-f1d33346f773", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2670], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":80,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":104,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":36,\"y\":104,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":24,\"x\":16,\"y\":104,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":56,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":8,\"y\":8,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":72,\"x\":0,\"y\":128,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":56,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"20\"},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":32,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":4,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_12\"}]", "timeRestore": false, "title": "z16.04 - Bro - SSL", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "cca67b60-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "6139edd0-3641-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "3753e110-365a-11e7-bf60-314364dd1cde", "name": "panel_2", "type": "visualization"}, {"id": "02699580-365a-11e7-bf60-314364dd1cde", "name": "panel_3", "type": "visualization"}, {"id": "db570800-365a-11e7-8bd0-1db2c55fb7a1", "name": "panel_4", "type": "visualization"}, {"id": "f0700840-365a-11e7-8bd0-1db2c55fb7a1", "name": "panel_5", "type": "visualization"}, {"id": "21d090d0-365b-11e7-8bd0-1db2c55fb7a1", "name": "panel_6", "type": "visualization"}, {"id": "53ac63e0-365b-11e7-8bd0-1db2c55fb7a1", "name": "panel_7", "type": "visualization"}, {"id": "ae959820-365c-11e7-8bd0-1db2c55fb7a1", "name": "panel_8", "type": "visualization"}, {"id": "c8f21de0-342e-11e7-9e93-53b62e1857b2", "name": "panel_9", "type": "search"}, {"id": "23d22bd0-70b4-11e7-810e-2bafe9e41c10", "name": "panel_10", "type": "visualization"}, {"id": "AWDHElRWxQT5EBNmq4lz", "name": "panel_11", "type": "visualization"}, {"id": "ebec2ea0-4c7c-11e8-9b0a-f1d33346f773", "name": "panel_12", "type": "visualization"}], "sort": [1643385898421, 2684], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":[24.846565348219734,0.087890625],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Destination - Sum of Total Bytes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ccfcc540-4638-11e7-a82e-d97152153689", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "1342e630-4632-11e7-9903-85f789353078", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 2687], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Strelka - File - Entropy", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":0,\"direction\":\"desc\"}}}}", "version": 1, "visState": "{\"title\":\"Strelka - File - Entropy\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"scan.entropy.entropy\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Entropy\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ce9e03f0-772c-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2689], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - Warning", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - Warning\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"sip.warning.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.warning.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Warning\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "cf56b070-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2691], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDQ5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Endgame - All Logs (copy)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Endgame - All Logs\",\"type\":\"metric\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"}],\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":60}}}}"}, "coreMigrationVersion": "7.16.2", "id": "d43f0350-6347-11ec-864c-8b5450f97635", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "endgame-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2694], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDUwLDE1XQ=="} +{"attributes": {"description": "", "state": {"datasourceStates": {"indexpattern": {"layers": {"851cf638-4ae4-45ad-b7ad-e97c0926b6a3": {"columnOrder": ["558ae3ab-245f-4076-9b88-155e26219823", "01fd47d1-6f20-44f0-afb6-2850548061f8"], "columns": {"01fd47d1-6f20-44f0-afb6-2850548061f8": {"dataType": "number", "isBucketed": false, "label": "Count of records", "operationType": "count", "scale": "ratio", "sourceField": "Records"}, "558ae3ab-245f-4076-9b88-155e26219823": {"customLabel": true, "dataType": "string", "isBucketed": true, "label": "Endgame - Event Categories", "operationType": "terms", "params": {"missingBucket": false, "orderBy": {"columnId": "01fd47d1-6f20-44f0-afb6-2850548061f8", "type": "column"}, "orderDirection": "desc", "otherBucket": true, "size": 5}, "scale": "ordinal", "sourceField": "event.category"}}, "incompleteColumns": {}}}}}, "filters": [], "query": {"language": "kuery", "query": ""}, "visualization": {"layers": [{"categoryDisplay": "default", "groups": ["558ae3ab-245f-4076-9b88-155e26219823"], "layerId": "851cf638-4ae4-45ad-b7ad-e97c0926b6a3", "layerType": "data", "legendDisplay": "default", "metric": "01fd47d1-6f20-44f0-afb6-2850548061f8", "nestedLegend": false, "numberDisplay": "percent"}], "shape": "pie"}}, "title": "Endgame - Event Categories Graph", "visualizationType": "lnsPie"}, "coreMigrationVersion": "7.16.2", "id": "d58d6c40-624a-11ec-864c-8b5450f97635", "migrationVersion": {"lens": "7.16.0"}, "references": [{"id": "endgame-*", "name": "indexpattern-datasource-current-indexpattern", "type": "index-pattern"}, {"id": "endgame-*", "name": "indexpattern-datasource-layer-851cf638-4ae4-45ad-b7ad-e97c0926b6a3", "type": "index-pattern"}, {"id": "41a5e270-53b1-11ec-b3ef-6bcc33056a36", "name": "tag-ref-41a5e270-53b1-11ec-b3ef-6bcc33056a36", "type": "tag"}], "sort": [1643385898421, 2698], "type": "lens", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDUxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Log Count Over TIme", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Tunnels - Log Count Over TIme\",\"type\":\"line\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{\"text\":\"@timestamp per 12 hours\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"interpolate\":\"linear\",\"lineWidth\":2,\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"showCircles\":true,\"interpolate\":\"linear\",\"scale\":\"linear\",\"drawLinesBetweenPoints\":true,\"radiusRatio\":9,\"times\":[],\"addTimeMarker\":false,\"defaultYExtents\":false,\"setYExtents\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"interval\":\"auto\",\"min_doc_count\":1,\"extended_bounds\":{}}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e89c9700-3641-11e7-a6f7-4f44d7bf1c33", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2700], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDUyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Tunnels - Country", "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", "version": 1, "visState": "{\"title\":\"Tunnels - Country\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{\"text\":\"Country\"}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"destination_geo.country_name.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Country\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "f60e0c40-6e34-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2702], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDUzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":16,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":48,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":48,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - Tunnels", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "d7b54ae0-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "e89c9700-3641-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "43b2b040-3807-11e7-a1cc-ebc6a7e70e84", "name": "panel_2", "type": "visualization"}, {"id": "26457730-3808-11e7-a1cc-ebc6a7e70e84", "name": "panel_3", "type": "visualization"}, {"id": "3cdf2400-3808-11e7-a1cc-ebc6a7e70e84", "name": "panel_4", "type": "visualization"}, {"id": "d26d5510-342e-11e7-9e93-53b62e1857b2", "name": "panel_5", "type": "search"}, {"id": "f60e0c40-6e34-11e7-9a19-a5996f8250c6", "name": "panel_6", "type": "visualization"}, {"id": "33b39a60-6e35-11e7-9a19-a5996f8250c6", "name": "panel_7", "type": "visualization"}, {"id": "53824da0-6e35-11e7-9a19-a5996f8250c6", "name": "panel_8", "type": "visualization"}, {"id": "AWDHFYrqxQT5EBNmq4qT", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 2713], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"event_type:bro_conn\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Connections - Service", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Connections - Service\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"service.keyword\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Service\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "*:logstash-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2715], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SSL - Server Name", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SSL - Server Name\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.server_name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.server_name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Server Name\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "db4dc4a0-75ec-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2717], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU2LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Network Datasets", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Network Datasets\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":2,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Dataset\",\"aggType\":\"terms\"},{\"accessor\":1,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"event.module.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.dataset.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Dataset\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":5,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "dbe4cc20-6ea7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "387f44c0-6ea7-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2719], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "Weird - Destination Port", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Weird - Destination Port\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Port\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "dbfe2f00-6e35-11e7-9a19-a5996f8250c6", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2721], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU4LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Queries", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Queries\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"query.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Query\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "dcda5680-2927-11e8-b2a2-09f3986ae284", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2723], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDU5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SIP - URI", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SIP - URI\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"sip.uri.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "f63cba40-75ca-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2725], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDYwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:sip\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\"},\"panelIndex\":\"1e84368a-ad74-4d57-9793-5c9ce813045b\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":17,\"h\":8,\"i\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\"},\"panelIndex\":\"304e7cd2-dc4f-4bf4-b1fe-747091d61b67\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":8,\"i\":\"e87052bf-935e-421b-8208-e798a37edf69\"},\"panelIndex\":\"e87052bf-935e-421b-8208-e798a37edf69\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\"},\"panelIndex\":\"b2055759-c7fd-43ab-8613-6031e8e148d3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"a303da32-bd43-45a5-acbf-093478d734f9\"},\"panelIndex\":\"a303da32-bd43-45a5-acbf-093478d734f9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":8,\"h\":19,\"i\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\"},\"panelIndex\":\"d8632aad-86f0-4290-9480-75ec477ae4cd\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":8,\"w\":8,\"h\":19,\"i\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\"},\"panelIndex\":\"ee3b0df5-4a03-470b-9d26-4eedf4f8b8d6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":34,\"y\":8,\"w\":14,\"h\":19,\"i\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\"},\"panelIndex\":\"dbe534a3-1a06-4185-b78a-293d7ec848c4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":12,\"h\":17,\"i\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\"},\"panelIndex\":\"45de60a4-61ab-4b78-8cc7-5a783070c9be\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":12,\"y\":27,\"w\":12,\"h\":17,\"i\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\"},\"panelIndex\":\"9cb368f2-b652-4dc9-8427-b88a592e8361\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":27,\"w\":24,\"h\":17,\"i\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\"},\"panelIndex\":\"b78c61e2-61c3-4c43-94d9-c3971ee375be\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":44,\"w\":48,\"h\":29,\"i\":\"ba5c8087-cf68-4a4c-9800-05731dca2608\"},\"panelIndex\":\"ba5c8087-cf68-4a4c-9800-05731dca2608\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]", "timeRestore": false, "title": "Security Onion - SIP", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "dd98e260-75c6-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "272b8ab0-75ca-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "9ff24600-75ca-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "f63cba40-75ca-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "49384710-75ca-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "81a1a740-75ca-11ea-9565-7315f4ee5cac", "name": "panel_9", "type": "visualization"}, {"id": "cf56b070-75ca-11ea-9565-7315f4ee5cac", "name": "panel_10", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_11", "type": "search"}], "sort": [1643385898421, 2738], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDYxLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":80,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":14,\"h\":24,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":32,\"w\":14,\"h\":24,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":16,\"h\":24,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":80,\"w\":48,\"h\":24,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":56,\"w\":40,\"h\":24,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":3,\"direction\":\"desc\"}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":36,\"y\":32,\"w\":12,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":8,\"w\":24,\"h\":24,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "z16.04 - Bro - Weird", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "de2da250-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "0dbcade0-3642-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "1b837b00-364e-11e7-9dc3-d35061cb642d", "name": "panel_2", "type": "visualization"}, {"id": "312cd460-364e-11e7-9dc3-d35061cb642d", "name": "panel_3", "type": "visualization"}, {"id": "8dbbbed0-364e-11e7-9dc3-d35061cb642d", "name": "panel_4", "type": "visualization"}, {"id": "e32d0d50-342e-11e7-9e93-53b62e1857b2", "name": "panel_5", "type": "search"}, {"id": "ca3e57d0-4172-11e7-9850-b78558d0ac17", "name": "panel_6", "type": "visualization"}, {"id": "dbfe2f00-6e35-11e7-9a19-a5996f8250c6", "name": "panel_7", "type": "visualization"}, {"id": "AWDHGXk-xQT5EBNmq4uf", "name": "panel_8", "type": "visualization"}, {"id": "691ade50-4c85-11e8-9b0a-f1d33346f773", "name": "panel_9", "type": "visualization"}], "sort": [1643385898421, 2749], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDYyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Hash - SSDeep", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Hash - SSDeep\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"Hash\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"hash.ssdeep.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"SSDeep\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e087c7d0-772d-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2751], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDYzLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":63,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":0,\"w\":32,\"h\":8,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":63,\"w\":16,\"h\":28,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":63,\"w\":16,\"h\":28,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":91,\"w\":16,\"h\":24,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":16,\"y\":91,\"w\":16,\"h\":24,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":91,\"w\":16,\"h\":24,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":16,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":32,\"w\":40,\"h\":31,\"i\":\"19\"},\"panelIndex\":\"19\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":115,\"w\":48,\"h\":24,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":24,\"w\":18,\"h\":8,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":8,\"h\":8,\"i\":\"29\"},\"panelIndex\":\"29\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":63,\"w\":16,\"h\":28,\"i\":\"31\"},\"panelIndex\":\"31\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":8,\"w\":22,\"h\":24,\"i\":\"32\"},\"panelIndex\":\"32\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"}]", "timeRestore": false, "title": "z16.04 - Bro - Connections", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e0a34b90-34e6-11e7-9118-45bd317f0ca4", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "2da139c0-34e7-11e7-9118-45bd317f0ca4", "name": "panel_1", "type": "visualization"}, {"id": "8261cf00-366e-11e7-8c78-e3086faf385c", "name": "panel_2", "type": "visualization"}, {"id": "9a54f150-366e-11e7-8c78-e3086faf385c", "name": "panel_3", "type": "visualization"}, {"id": "296823d0-366f-11e7-8c78-e3086faf385c", "name": "panel_4", "type": "visualization"}, {"id": "b50912f0-366f-11e7-8c78-e3086faf385c", "name": "panel_5", "type": "visualization"}, {"id": "05088150-3670-11e7-8c78-e3086faf385c", "name": "panel_6", "type": "visualization"}, {"id": "c3152010-3673-11e7-8c78-e3086faf385c", "name": "panel_7", "type": "visualization"}, {"id": "13fe29c0-3b17-11e7-b871-5f76306b9694", "name": "panel_8", "type": "visualization"}, {"id": "9bf42190-342d-11e7-9e93-53b62e1857b2", "name": "panel_9", "type": "search"}, {"id": "25ce6eb0-463b-11e7-a82e-d97152153689", "name": "panel_10", "type": "visualization"}, {"id": "AWDG71xFxQT5EBNmq336", "name": "panel_11", "type": "visualization"}, {"id": "bc7fbe00-4a44-11e8-9b0a-f1d33346f773", "name": "panel_12", "type": "visualization"}, {"id": "d7d3dda0-54b9-11e9-a48f-b7dfb1d0f288", "name": "panel_13", "type": "visualization"}], "sort": [1643385898421, 2766], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY0LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "DNS - Destination Port (Horizontal Bar Chart)", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"DNS - Destination Port (Horizontal Bar Chart)\",\"type\":\"histogram\",\"params\":{\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":false,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"destination_port\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "e3717d80-6e0f-11e7-8624-1fb07dd76c6a", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2768], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY1LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[]}"}, "savedSearchRefName": "search_0", "title": "X.509 - Certificate Subject", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"X.509 - Certificate Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"certificate_subject.keyword\",\"size\":100,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Subject\"}}],\"listeners\":{}}"}, "coreMigrationVersion": "7.16.2", "id": "fab4b560-37d8-11e7-9efb-91e89505091f", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2770], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY2LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":68,\"x\":0,\"y\":96,\"i\":\"4\"},\"panelIndex\":\"4\",\"embeddableConfig\":{\"columns\":[\"certificate_subject\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":20,\"x\":28,\"y\":8,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":20,\"x\":8,\"y\":28,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "z16.04 - Bro - X.509", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "e5aa7170-3583-11e7-a588-05992195c551", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "41bee360-3642-11e7-a6f7-4f44d7bf1c33", "name": "panel_1", "type": "visualization"}, {"id": "f5038cc0-342e-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "738127f0-37d7-11e7-9efb-91e89505091f", "name": "panel_3", "type": "visualization"}, {"id": "fab4b560-37d8-11e7-9efb-91e89505091f", "name": "panel_4", "type": "visualization"}, {"id": "0a5f7b30-37d9-11e7-9efb-91e89505091f", "name": "panel_5", "type": "visualization"}, {"id": "150f7280-6e37-11e7-a8d6-ed2e692de531", "name": "panel_6", "type": "visualization"}, {"id": "446e85c0-6e37-11e7-a8d6-ed2e692de531", "name": "panel_7", "type": "visualization"}, {"id": "AWDHGklsxQT5EBNmq4wG", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 2780], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY3LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Host - Domain", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Host - Domain\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.domain.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Domain\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "e80aa100-7375-11ea-a3da-cbdb4f8a90c0", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2782], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"mapCenter\":[39.639537564366684,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Destination - Top Connection Duration", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ea211360-46c4-11e7-a82e-d97152153689", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f7492d0-46c4-11e7-a82e-d97152153689", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 2785], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDY5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "savedSearchRefName": "search_0", "title": "DNS - Answers", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"DNS - Answers\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMeticsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"answers.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":50,\"order\":\"desc\",\"orderBy\":\"1\",\"customLabel\":\"Answer\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ff2af9b0-2927-11e8-b2a2-09f3986ae284", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2787], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDcwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"default_field\":\"*\",\"query\":\"*\",\"time_zone\":\"America/New_York\"}}},\"filter\":[]}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":68,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":44,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":44,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":92,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":64,\"x\":0,\"y\":116,\"i\":\"16\"},\"panelIndex\":\"16\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"17\"},\"panelIndex\":\"17\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":44,\"i\":\"21\"},\"panelIndex\":\"21\",\"embeddableConfig\":{\"vis\":null,\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":12,\"x\":32,\"y\":56,\"i\":\"22\"},\"panelIndex\":\"22\",\"embeddableConfig\":{\"vis\":null,\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"23\"},\"panelIndex\":\"23\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":0,\"y\":68,\"i\":\"24\"},\"panelIndex\":\"24\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":24,\"h\":24,\"x\":24,\"y\":68,\"i\":\"25\"},\"panelIndex\":\"25\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_12\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":20,\"i\":\"26\"},\"panelIndex\":\"26\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_13\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":20,\"i\":\"27\"},\"panelIndex\":\"27\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_14\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":20,\"i\":\"28\"},\"panelIndex\":\"28\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_15\"}]", "timeRestore": false, "title": "z16.04 - Bro - DNS", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ebf5ec90-34bf-11e7-9b32-bb903919ead9", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "6ef90c30-34c0-11e7-9b32-bb903919ead9", "name": "panel_1", "type": "visualization"}, {"id": "57a9a3f0-34c0-11e7-9b32-bb903919ead9", "name": "panel_2", "type": "visualization"}, {"id": "45a652b0-34c1-11e7-917c-af7a9d11771a", "name": "panel_3", "type": "visualization"}, {"id": "e8e3b8a0-34c1-11e7-917c-af7a9d11771a", "name": "panel_4", "type": "visualization"}, {"id": "1ecdd2e0-34c0-11e7-9b32-bb903919ead9", "name": "panel_5", "type": "visualization"}, {"id": "d46522e0-342d-11e7-9e93-53b62e1857b2", "name": "panel_6", "type": "search"}, {"id": "e3717d80-6e0f-11e7-8624-1fb07dd76c6a", "name": "panel_7", "type": "visualization"}, {"id": "4d89e140-6f09-11e7-9d31-23c0596994a7", "name": "panel_8", "type": "visualization"}, {"id": "74861280-6f06-11e7-b253-211f64f37eda", "name": "panel_9", "type": "visualization"}, {"id": "AWDG9Qx0xQT5EBNmq3_2", "name": "panel_10", "type": "visualization"}, {"id": "dcda5680-2927-11e8-b2a2-09f3986ae284", "name": "panel_11", "type": "visualization"}, {"id": "ff2af9b0-2927-11e8-b2a2-09f3986ae284", "name": "panel_12", "type": "visualization"}, {"id": "22f7de30-4949-11e8-9576-313be7c6b44b", "name": "panel_13", "type": "visualization"}, {"id": "0c338e50-4a4e-11e8-9b0a-f1d33346f773", "name": "panel_14", "type": "visualization"}, {"id": "49e04860-4a4e-11e8-9b0a-f1d33346f773", "name": "panel_15", "type": "visualization"}], "sort": [1643385898421, 2804], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDcxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - SMB - File System", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - SMB - File System\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"smb.file_system.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"smb.file_system.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"File System\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ed215680-75ef-11ea-9565-7315f4ee5cac", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2806], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDcyLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"h\":8,\"i\":\"3\",\"w\":32,\"x\":16,\"y\":0},\"panelIndex\":\"3\",\"embeddableConfig\":{\"vis\":{\"legendOpen\":false},\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":51,\"i\":\"4\",\"w\":8,\"x\":0,\"y\":0},\"panelIndex\":\"4\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":22,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":51},\"panelIndex\":\"6\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":17,\"i\":\"12\",\"w\":20,\"x\":8,\"y\":34},\"panelIndex\":\"12\",\"embeddableConfig\":{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}},\"enhancements\":{}},\"title\":\"NIDS Alert - Source Port\",\"panelRefName\":\"panel_3\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":8,\"i\":\"16\",\"w\":8,\"x\":8,\"y\":0},\"panelIndex\":\"16\",\"embeddableConfig\":{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}},\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":17,\"i\":\"18\",\"w\":20,\"x\":28,\"y\":34},\"panelIndex\":\"18\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS Alert - Destination Port\",\"panelRefName\":\"panel_5\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":16,\"i\":\"19\",\"w\":40,\"x\":8,\"y\":18},\"panelIndex\":\"19\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Alert Summary \",\"panelRefName\":\"panel_6\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":10,\"i\":\"20\",\"w\":17,\"x\":8,\"y\":8},\"panelIndex\":\"20\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Alert Title\",\"panelRefName\":\"panel_7\"},{\"version\":\"7.3.0\",\"gridData\":{\"h\":10,\"i\":\"21\",\"w\":23,\"x\":25,\"y\":8},\"panelIndex\":\"21\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"NIDS - Rule Signature\",\"panelRefName\":\"panel_8\"}]", "timeRestore": false, "title": "NIDS - SID Drilldown", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ed6f7e20-e060-11e9-8f0c-2ddbf5ed9290", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "d58ec1a0-34e4-11e7-9669-7f1d3242b798", "name": "panel_0", "type": "visualization"}, {"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_1", "type": "visualization"}, {"id": "9a5a35c0-342f-11e7-9e93-53b62e1857b2", "name": "panel_2", "type": "search"}, {"id": "620283e0-3af5-11e7-a83b-b1b4da7d15f4", "name": "panel_3", "type": "visualization"}, {"id": "AWDG3ym0xQT5EBNmq3mG", "name": "panel_4", "type": "visualization"}, {"id": "3f040620-4a44-11e8-9b0a-f1d33346f773", "name": "panel_5", "type": "visualization"}, {"id": "3a1b54b0-e061-11e9-8f0c-2ddbf5ed9290", "name": "panel_6", "type": "visualization"}, {"id": "1b3faca0-e064-11e9-8f0c-2ddbf5ed9290", "name": "panel_7", "type": "visualization"}, {"id": "6533dd40-e064-11e9-8f0c-2ddbf5ed9290", "name": "panel_8", "type": "visualization"}], "sort": [1643385898421, 2816], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDczLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - HTTP - Version", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - HTTP - Version\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"http.version.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "ede56800-6ed7-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9ee33aa0-6eb1-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2818], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDc0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:ssl\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"7ba54e84-e774-489e-b4e5-156bff163007\"},\"panelIndex\":\"7ba54e84-e774-489e-b4e5-156bff163007\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"83706228-debf-441c-ab7f-2e20c91ec132\"},\"panelIndex\":\"83706228-debf-441c-ab7f-2e20c91ec132\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"e06b2a92-d78b-4d77-9948-40a96a630656\"},\"panelIndex\":\"e06b2a92-d78b-4d77-9948-40a96a630656\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":20,\"i\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\"},\"panelIndex\":\"6f2ba042-522e-43a3-8b9f-0d00e1b60070\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":10,\"h\":20,\"i\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\"},\"panelIndex\":\"f9b0f61d-4ff7-4bfb-a210-61ac7c07407a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":11,\"h\":20,\"i\":\"19764782-13cb-4b14-b272-d30fbdead5a2\"},\"panelIndex\":\"19764782-13cb-4b14-b272-d30fbdead5a2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":30,\"y\":8,\"w\":18,\"h\":20,\"i\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\"},\"panelIndex\":\"8e0caa58-2dba-4d73-bf54-2c5452b7e5ff\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":28,\"w\":48,\"h\":21,\"i\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\"},\"panelIndex\":\"a804d523-cf9b-47f1-85ca-4931defc69ce\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":21,\"i\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\"},\"panelIndex\":\"6ce88ef8-a636-4f1c-85e9-922ab70a500f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":70,\"w\":48,\"h\":29,\"i\":\"75b95d1d-98a0-4d86-b72b-1ecc6f5d7c5a\"},\"panelIndex\":\"75b95d1d-98a0-4d86-b72b-1ecc6f5d7c5a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - SSL", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "efae8de0-75eb-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "db4dc4a0-75ec-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "b8371250-75ec-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "4e8cbf80-75ec-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "6fccb600-75ec-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 2829], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDc1LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"filter\":[],\"highlightAll\":true,\"version\":true,\"query\":{\"language\":\"lucene\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}}}}"}, "optionsJSON": "{\"darkTheme\":true,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.3.0\",\"gridData\":{\"w\":8,\"h\":44,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.3.0\",\"gridData\":{\"w\":40,\"h\":40,\"x\":8,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"mapCenter\":[24.84656534821976,0.17578125],\"mapZoom\":2,\"enhancements\":{}},\"panelRefName\":\"panel_1\"}]", "timeRestore": false, "title": "Connections - Source - Sum of Total Bytes", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "f042ad60-46c6-11e7-946f-1bfb1be7c36b", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "b3b449d0-3429-11e7-9d52-4f090484f59e", "name": "panel_0", "type": "visualization"}, {"id": "1156b1e0-46c7-11e7-946f-1bfb1be7c36b", "name": "panel_1", "type": "visualization"}], "sort": [1643385898421, 2851], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDg3LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:smb*\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":13,\"h\":8,\"i\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\"},\"panelIndex\":\"4f0e2e7d-aeee-4de8-82f0-9faffa596a05\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":13,\"y\":0,\"w\":16,\"h\":8,\"i\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\"},\"panelIndex\":\"efd2f5f0-c795-41e8-b0d7-7a3012e04d4d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":8,\"i\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\"},\"panelIndex\":\"c4342fbe-e949-42d7-959c-c1ce6978033a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":9,\"h\":19,\"i\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\"},\"panelIndex\":\"f59a811c-5a72-4337-84bd-32a5d1dce308\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":9,\"y\":8,\"w\":9,\"h\":19,\"i\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\"},\"panelIndex\":\"5bb49dfa-0703-448b-a249-6cebb45e101c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":18,\"y\":8,\"w\":10,\"h\":19,\"i\":\"4f886675-43c8-46c9-a471-717010d40e67\"},\"panelIndex\":\"4f886675-43c8-46c9-a471-717010d40e67\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":28,\"y\":8,\"w\":10,\"h\":19,\"i\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\"},\"panelIndex\":\"f00a4afd-cd5f-48a4-a8d3-bc80f7367285\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":38,\"y\":8,\"w\":10,\"h\":19,\"i\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\"},\"panelIndex\":\"c88f8f9f-c3d9-43c1-bfb1-bb2b7f64b92f\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":20,\"i\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\"},\"panelIndex\":\"d76e30ec-3114-4100-a806-2a77ba987bbe\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":29,\"i\":\"b48f25cd-4353-46f1-ba89-12da381a65eb\"},\"panelIndex\":\"b48f25cd-4353-46f1-ba89-12da381a65eb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - SMB", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "f24d7b80-75c6-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "7f822930-6ea4-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "34762420-75f0-11ea-9565-7315f4ee5cac", "name": "panel_5", "type": "visualization"}, {"id": "1c6567b0-75f0-11ea-9565-7315f4ee5cac", "name": "panel_6", "type": "visualization"}, {"id": "ed215680-75ef-11ea-9565-7315f4ee5cac", "name": "panel_7", "type": "visualization"}, {"id": "052df440-75f0-11ea-9565-7315f4ee5cac", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 2862], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDg4LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:playbook AND event.dataset:alert\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"c2172038-7740-458c-977a-98d139c438c2\"},\"panelIndex\":\"c2172038-7740-458c-977a-98d139c438c2\",\"embeddableConfig\":{\"enhancements\":{}},\"title\":\"Security Onion - Alert Data\",\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":18,\"h\":8,\"i\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\"},\"panelIndex\":\"b18f1671-c1a0-44c8-946b-71bc21e62482\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":0,\"w\":22,\"h\":8,\"i\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\"},\"panelIndex\":\"b26faccc-11d5-4cc3-8fd2-484b5e3659bc\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":26,\"h\":18,\"i\":\"1f88747a-06f5-4450-8d08-150d0cd37667\"},\"panelIndex\":\"1f88747a-06f5-4450-8d08-150d0cd37667\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":26,\"y\":8,\"w\":22,\"h\":18,\"i\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\"},\"panelIndex\":\"0b5a83d1-8f56-4616-b0aa-af25a1995379\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":21,\"i\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\"},\"panelIndex\":\"28431fa5-4ce9-40db-a190-541b3390f9d0\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"}]", "timeRestore": false, "title": "Security Onion - Playbook", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "f449f0a0-c77c-11ea-bebb-37c5ab5894ea", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "508fb520-72af-11ea-8dd2-9d8795a1200b", "name": "panel_3", "type": "visualization"}, {"id": "f7e1d570-72ae-11ea-8dd2-9d8795a1200b", "name": "panel_4", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "search"}], "sort": [1643385898421, 2869], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDg5LDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Zeek - Notice Action", "uiStateJSON": "{}", "version": 1, "visState": "{\"title\":\"Security Onion - Zeek - Notice Action\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"number\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"notice.p: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"notice.action.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "fafba910-7a84-11ea-9d13-57f5db13d1ed", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2871], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDkwLDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.dataset:notice AND event.module:zeek\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":8,\"i\":\"3c981b35-b930-4523-bef4-7f5193148816\"},\"panelIndex\":\"3c981b35-b930-4523-bef4-7f5193148816\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":8,\"y\":0,\"w\":16,\"h\":8,\"i\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\"},\"panelIndex\":\"eb1b234a-2d6b-46af-9afe-a420a389dad1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":24,\"y\":0,\"w\":24,\"h\":8,\"i\":\"7d323b2f-3502-4397-93fd-b430d9011d92\"},\"panelIndex\":\"7d323b2f-3502-4397-93fd-b430d9011d92\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":8,\"w\":19,\"h\":18,\"i\":\"298b9cf4-5e54-45f5-805c-e04b31044401\"},\"panelIndex\":\"298b9cf4-5e54-45f5-805c-e04b31044401\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":19,\"y\":8,\"w\":29,\"h\":18,\"i\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\"},\"panelIndex\":\"1fa5b7c2-2680-4dd0-9c07-a714d8d8968a\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":26,\"w\":11,\"h\":23,\"i\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\"},\"panelIndex\":\"9056cf20-d882-4316-ba02-91ecbd1d4df9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":11,\"y\":26,\"w\":11,\"h\":23,\"i\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\"},\"panelIndex\":\"5f855acb-fec5-4155-b2ef-0961a6d9a89c\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":22,\"y\":26,\"w\":10,\"h\":23,\"i\":\"208bc4b2-013a-4aab-b72c-45a618077791\"},\"panelIndex\":\"208bc4b2-013a-4aab-b72c-45a618077791\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":32,\"y\":26,\"w\":16,\"h\":23,\"i\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\"},\"panelIndex\":\"5429bbba-3d62-4a93-9932-4a2cc4369775\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"x\":0,\"y\":49,\"w\":48,\"h\":20,\"i\":\"e08f3143-7e05-49ab-882f-d63e24e622bb\"},\"panelIndex\":\"e08f3143-7e05-49ab-882f-d63e24e622bb\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"}]", "timeRestore": false, "title": "Security Onion - Zeek - Notices", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "fa9ed760-7734-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "30df00e0-7733-11ea-bee5-af7f7c7b8e05", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "9c6ccff0-7a84-11ea-9d13-57f5db13d1ed", "name": "panel_3", "type": "visualization"}, {"id": "c8039090-7a84-11ea-9d13-57f5db13d1ed", "name": "panel_4", "type": "visualization"}, {"id": "6b18be30-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_5", "type": "visualization"}, {"id": "b6a4f3f0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_6", "type": "visualization"}, {"id": "f4cfdeb0-72a7-11ea-8dd2-9d8795a1200b", "name": "panel_7", "type": "visualization"}, {"id": "fafba910-7a84-11ea-9d13-57f5db13d1ed", "name": "panel_8", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_9", "type": "search"}], "sort": [1643385898421, 2882], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDkxLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[{\"$state\":{\"store\":\"appState\"},\"meta\":{\"alias\":null,\"disabled\":false,\"key\":\"event.module.keyword\",\"negate\":true,\"params\":{\"query\":\"suricata\"},\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"query\":{\"match_phrase\":{\"event.module.keyword\":\"suricata\"}}}]}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Playbook - Rules", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"rule.name.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"event.module.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Module\"}}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"rule.name.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"title\":\"Security Onion - Playbook - Rules\"}"}, "coreMigrationVersion": "7.16.2", "id": "faaf66e0-c77d-11ea-bebb-37c5ab5894ea", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", "type": "index-pattern"}, {"id": "5c3effd0-72ae-11ea-8dd2-9d8795a1200b", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2885], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDkyLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"}, "title": "Security Onion - Syslog - Severity (Donut)", "uiStateJSON": "{}", "version": 1, "visState": "{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity_label\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity_label: Descending\",\"aggType\":\"terms\"}]},\"palette\":{\"type\":\"palette\",\"name\":\"kibana_palette\"},\"distinctColors\":true},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"}, "coreMigrationVersion": "7.16.2", "id": "fc8d41a0-777b-11ea-bee5-af7f7c7b8e05", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern"}], "sort": [1643385898421, 2887], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDkzLDE1XQ=="} +{"attributes": {"description": "", "kibanaSavedObjectMeta": {"searchSourceJSON": "{}"}, "savedSearchRefName": "search_0", "title": "Security Onion - Connections - Top Source IPs", "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}", "version": 1, "visState": "{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"}, "coreMigrationVersion": "7.16.2", "id": "fd8b4640-6e9f-11ea-9266-1fd14ca6af34", "migrationVersion": {"visualization": "7.14.0"}, "references": [{"id": "9b333020-6e9f-11ea-9266-1fd14ca6af34", "name": "search_0", "type": "search"}], "sort": [1643385898421, 2889], "type": "visualization", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDk0LDE1XQ=="} +{"attributes": {"description": "", "hits": 0, "kibanaSavedObjectMeta": {"searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"}, "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", "panelsJSON": "[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]", "timeRestore": false, "title": "Security Onion - Strelka", "version": 1}, "coreMigrationVersion": "7.16.2", "id": "ff689c50-75f3-11ea-9565-7315f4ee5cac", "migrationVersion": {"dashboard": "7.16.0"}, "references": [{"id": "8cfec8c0-6ec2-11ea-9266-1fd14ca6af34", "name": "panel_0", "type": "visualization"}, {"id": "d04b5130-6e99-11ea-9266-1fd14ca6af34", "name": "panel_1", "type": "visualization"}, {"id": "23ed13a0-6e9a-11ea-9266-1fd14ca6af34", "name": "panel_2", "type": "visualization"}, {"id": "7a88adc0-75f0-11ea-9565-7315f4ee5cac", "name": "panel_3", "type": "visualization"}, {"id": "49cfe850-772c-11ea-bee5-af7f7c7b8e05", "name": "panel_4", "type": "visualization"}, {"id": "70243970-772c-11ea-bee5-af7f7c7b8e05", "name": "panel_5", "type": "visualization"}, {"id": "ce9e03f0-772c-11ea-bee5-af7f7c7b8e05", "name": "panel_6", "type": "visualization"}, {"id": "a7ebb450-772c-11ea-bee5-af7f7c7b8e05", "name": "panel_7", "type": "visualization"}, {"id": "08c0b770-772e-11ea-bee5-af7f7c7b8e05", "name": "panel_8", "type": "visualization"}, {"id": "e087c7d0-772d-11ea-bee5-af7f7c7b8e05", "name": "panel_9", "type": "visualization"}, {"id": "8b6f3150-72a2-11ea-8dd2-9d8795a1200b", "name": "panel_10", "type": "search"}], "sort": [1643385898421, 2901], "type": "dashboard", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDk1LDE1XQ=="} +{"attributes": {"allowNoIndex": true, "fieldFormatMap": "{\"Ransomware.child_processes.pid\":{\"id\":\"string\"},\"Ransomware.pid\":{\"id\":\"string\"},\"Responses.@timestamp\":{\"id\":\"string\"},\"Target.process.parent.pgid\":{\"id\":\"string\"},\"Target.process.parent.pid\":{\"id\":\"string\"},\"Target.process.parent.ppid\":{\"id\":\"string\"},\"Target.process.parent.thread.id\":{\"id\":\"string\"},\"Target.process.pgid\":{\"id\":\"string\"},\"Target.process.pid\":{\"id\":\"string\"},\"Target.process.ppid\":{\"id\":\"string\"},\"Target.process.thread.id\":{\"id\":\"string\"},\"event.sequence\":{\"id\":\"string\"},\"event.severity\":{\"id\":\"string\"},\"process.parent.pgid\":{\"id\":\"string\"},\"process.parent.pid\":{\"id\":\"string\"},\"process.parent.ppid\":{\"id\":\"string\"},\"process.parent.thread.id\":{\"id\":\"string\"},\"process.pgid\":{\"id\":\"string\"},\"process.pid\":{\"id\":\"string\"},\"process.ppid\":{\"id\":\"string\"},\"process.thread.id\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.enrichments.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.enrichments.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.enrichments.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.enrichments.indicator.url.port\":{\"id\":\"string\"},\"threat.indicator.file.elf.header.entrypoint\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.chi2\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.entropy\":{\"id\":\"number\"},\"threat.indicator.file.elf.sections.physical_size\":{\"id\":\"bytes\"},\"threat.indicator.file.elf.sections.virtual_address\":{\"id\":\"string\"},\"threat.indicator.file.elf.sections.virtual_size\":{\"id\":\"string\"},\"threat.indicator.url.port\":{\"id\":\"string\"},\"destination.bytes\":{\"id\":\"bytes\"},\"destination.port\":{\"id\":\"string\"},\"http.request.body.bytes\":{\"id\":\"bytes\"},\"http.request.bytes\":{\"id\":\"bytes\"},\"http.response.body.bytes\":{\"id\":\"bytes\"},\"http.response.bytes\":{\"id\":\"bytes\"},\"http.response.status_code\":{\"id\":\"string\"},\"network.bytes\":{\"id\":\"bytes\"},\"source.bytes\":{\"id\":\"bytes\"},\"source.port\":{\"id\":\"string\"}}", "fields": "[{\"name\":\"cloud.account.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.machine.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.project.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.image.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.image.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.containerized\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"elastic_agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.snapshot\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.ingested\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.hosts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.method\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.dropped_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.ssh.event\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.error\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.tty\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.pwd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.sudo.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.home\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.auth.useradd.shell\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.api\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computer_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuthenticationPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Binary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BitlockerUserInputTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BootMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BootType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.BuildVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CorruptionActionState\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Detail\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceVersionMajor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DeviceVersionMinor\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriveName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriverName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DriverNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DwordVal\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.EntryCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ExtraInfo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureNameLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FileVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FinalStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IdleImplementation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IdleStateCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ImpersonationLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IntegrityLevel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IpAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.IpPort\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.KeyLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LastBootGood\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LastShutdownGood\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LmPackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MajorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MaximumPerformancePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MemberName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MemberSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinimumPerformancePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinimumThrottlePercent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MinorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSchemeGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NominalFrequency\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSchemeGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OriginalFileName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PerformanceImplementation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreviousCreationUtcTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreviousTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PrivilegeList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProcessPid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PuaCount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PuaPolicyId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.QfeVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SchemaVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ScriptBlockText\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownActionType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownEventCode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ShutdownReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SignatureStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Signed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StartTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.State\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StopTime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TSId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetInfo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetLogonGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetServerName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TerminalSessionId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TokenElevationType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TransmittedServices\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Workstation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param3\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param4\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param6\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param7\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.param8\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.keywords\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.channel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.record_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.related_activity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.opcode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_guid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.provider_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.task\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"tags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"log.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"related.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"service.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.reason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.logon.failure.sub_status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.computerObject.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessGranted\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessListDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessMask\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessMaskDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccessRemoved\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountDomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountExpires\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AllowedToDelegateTo\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditPolicyChanges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditPolicyChangesDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.AuditSourceName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CallerProcessId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CallerProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ClientAddress\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ClientName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CommandLine\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.CrashOnAuditFailValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DisplayName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainBehaviorVersion\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainPolicyChanged\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.DomainSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Dummy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.EventSourceId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.FailureReason\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.GroupTypeChange\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HandleId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HomeDirectory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.HomePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.KerberosPolicyChange\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonHours\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.LogonID\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MachineAccountQuota\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MandatoryLabel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.MixedDomainMode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdDacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewSdSacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewTargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewUACList\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.NewUacValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectServer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ObjectType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OemInformation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSd\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdDacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl0\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldSdSacl2\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldTargetUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.OldUacValue\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PackageName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PasswordLastSet\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PasswordHistoryLength\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ParentProcessName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PreAuthType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.PrimaryGroupId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ProfilePath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ResourceAttributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SamAccountName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ScriptPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SidHistory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.Service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceAccount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceFileName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceStartType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.ServiceType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SessionName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SidFilteringEnabled\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.StatusDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategoryGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubcategoryGuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubCategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubcategoryId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.SubStatus\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TargetSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoAttributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoDirection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TdoType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketEncryptionType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketEncryptionTypeDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketOptions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.TicketOptionsDescription\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserAccountControl\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserParameters\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserPrincipalName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.UserWorkstations\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.event_data.WorkstationName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.time_created\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustAttribute\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustDirection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.trustType\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.BackupPath\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.Channel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectDomainName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectLogonId\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectUserName\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.SubjectUserSid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"winlog.user_data.xml_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"action_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"completed_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data.comment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"started_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.action_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.completed_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data.command\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.data.comment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"EndpointActions.started_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"error.stack_trace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"error.stack_trace.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"error.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agents\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"expiration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"input_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.expiration\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.input_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"EndpointActions.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Events\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.artifacts.global\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.cross_session\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.parent_to_child\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.self_injection\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.thread_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Memory_protection.unique_key_v1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.data\",\"type\":\"binary\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Ransomware.child_processes.files.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.original.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.files.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.child_processes.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Ransomware.feature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.data\",\"type\":\"binary\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Ransomware.files.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.operation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.original.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.files.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Ransomware.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.action.field\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.action.state\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Responses.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Responses.result\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Target.dll.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.ancestry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.authentication_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.allocation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.memory_region.bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.mapped_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.memory_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.region_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.memory_region.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.real.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.parent.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.instruction_pointer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.memory_section.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.module_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.rva\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack.symbol_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_final_user_module.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.call_stack_summary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.parameter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.parameter_bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Target.process.thread.Ext.parameter_bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes_disasm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_bytes_disasm_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.start_address_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.Ext.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"Target.process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Target.process.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"agent.ephemeral_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"dll.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.risk_score\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.code_page\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.collection.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.errors.error_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.file_extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.project_file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.raw_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.macro.stream.raw_code_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext.variant\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.ancestry\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.authentication_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"process.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.allocation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.memory_region.bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.mapped_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.memory_pe_detected\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_base\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.region_state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.memory_region.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.services\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.session\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.compile_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.mapped_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.Ext.mapped_size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.dll.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.real.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.Ext.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.instruction_pointer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.memory_section.size\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.module_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.rva\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack.symbol_info\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_final_user_module.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.call_stack_summary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.parameter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.parameter_bytes_compressed\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"process.thread.Ext.parameter_bytes_compressed_present\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.service\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_allocation_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes_disasm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_bytes_disasm_hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.start_address_module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.elevation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.elevation_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.impersonation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.integrity_level\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.integrity_level_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.is_appcontainer\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.enabled\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.privileges.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.sid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.token.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.Ext.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.author\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.license\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.ruleset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"rule.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.as.organization.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.confidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.email.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.first_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.last_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.marking.tlp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.modified_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.scanner_stats\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.sightings\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.fragment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.original.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.scheme\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.url.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.alternative_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.issuer.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.not_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.not_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.public_key_exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"threat.enrichments.indicator.x509.public_key_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.signature_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.subject.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.indicator.x509.version_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.atomic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.field\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.enrichments.matched.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.framework\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.alias\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.group.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.as.organization.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.confidence\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.email.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.entry_modified\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.buffer\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.decompressed_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.features.data.encoding\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.score\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.threshold\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.upx_packed\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_classification.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.original.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.quarantine_result\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.temp_file_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.windows\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.Ext.windows.zone_identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.accessed\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.ctime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.drive_letter\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.gid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.group\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.inode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mime_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mode\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.mtime\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.owner\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.target_path.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.file.uid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.first_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.last_seen\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.marking.tlp\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.modified_at\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.strings\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.registry.value\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.scanner_stats\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.sightings\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.extension\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.fragment\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.original.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.password\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.query\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.scheme\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.url.username\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.alternative_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.issuer.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.not_after\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.not_before\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_curve\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.public_key_exponent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"threat.indicator.x509.public_key_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.signature_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.common_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.country\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.distinguished_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.locality\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.organization\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.organizational_unit\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.subject.state_or_province\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.indicator.x509.version_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.platforms\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.software.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.tactic.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.technique.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"threat.technique.subtechnique.reference\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"user.group.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.Ext.real.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"event.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.Ext.correlation\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.Ext.correlation.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.entropy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.header_bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.header_data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.all_names\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.identifier\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.matches\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.primary.signature.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.secondary\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.malware_signature.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"file.Ext.monotonic_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.defense_evasions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dll.Ext.load_index\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"destination.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext.options\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.Ext.status\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.question.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"dns.resolved_ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.content\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.request.body.content.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"http.request.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.Ext.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.content\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.body.content.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"http.response.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"http.response.status_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.community_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.direction\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.iana_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.protocol\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.transport\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"network.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"package.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.defense_evasions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.elevation_level\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.Ext.token.security_attributes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.data.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.data.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.hive\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"registry.key\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "logs-*"}, "coreMigrationVersion": "7.16.2", "id": "logs-*", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 2902], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDk2LDE1XQ=="} +{"attributes": {"allowNoIndex": true, "fieldFormatMap": "{\"system.process.memory.size\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.usage.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.kmem_tcp.limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.active_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.cache.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_anon.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.inactive_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.mapped_file.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.rss_huge.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.swap.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.stats.unevictable.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.blkio.total.bytes\":{\"id\":\"bytes\"},\"system.core.user.pct\":{\"id\":\"percent\"},\"system.core.system.pct\":{\"id\":\"percent\"},\"system.core.nice.pct\":{\"id\":\"percent\"},\"system.core.idle.pct\":{\"id\":\"percent\"},\"system.core.iowait.pct\":{\"id\":\"percent\"},\"system.core.irq.pct\":{\"id\":\"percent\"},\"system.core.softirq.pct\":{\"id\":\"percent\"},\"system.core.steal.pct\":{\"id\":\"percent\"},\"host.disk.read.bytes\":{\"id\":\"bytes\"},\"host.disk.write.bytes\":{\"id\":\"bytes\"},\"system.diskio.read.bytes\":{\"id\":\"bytes\"},\"system.diskio.write.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.read.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.write.per_sec.bytes\":{\"id\":\"bytes\"},\"system.diskio.iostat.request.avg_size\":{\"id\":\"bytes\"},\"host.cpu.pct\":{\"id\":\"percent\"},\"system.cpu.user.pct\":{\"id\":\"percent\"},\"system.cpu.system.pct\":{\"id\":\"percent\"},\"system.cpu.nice.pct\":{\"id\":\"percent\"},\"system.cpu.idle.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.pct\":{\"id\":\"percent\"},\"system.cpu.irq.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.pct\":{\"id\":\"percent\"},\"system.cpu.steal.pct\":{\"id\":\"percent\"},\"system.cpu.total.pct\":{\"id\":\"percent\"},\"system.cpu.user.norm.pct\":{\"id\":\"percent\"},\"system.cpu.system.norm.pct\":{\"id\":\"percent\"},\"system.cpu.nice.norm.pct\":{\"id\":\"percent\"},\"system.cpu.idle.norm.pct\":{\"id\":\"percent\"},\"system.cpu.iowait.norm.pct\":{\"id\":\"percent\"},\"system.cpu.irq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.softirq.norm.pct\":{\"id\":\"percent\"},\"system.cpu.steal.norm.pct\":{\"id\":\"percent\"},\"system.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.filesystem.available\":{\"id\":\"bytes\"},\"system.filesystem.free\":{\"id\":\"bytes\"},\"system.filesystem.total\":{\"id\":\"bytes\"},\"system.filesystem.used.bytes\":{\"id\":\"bytes\"},\"system.filesystem.used.pct\":{\"id\":\"percent\"},\"process.cpu.pct\":{\"id\":\"percent\"},\"process.memory.pct\":{\"id\":\"percent\"},\"system.process.cpu.total.pct\":{\"id\":\"percent\"},\"system.process.cpu.total.norm.pct\":{\"id\":\"percent\"},\"system.process.memory.rss.bytes\":{\"id\":\"bytes\"},\"system.process.memory.rss.pct\":{\"id\":\"percent\"},\"system.process.memory.share\":{\"id\":\"bytes\"},\"system.process.cgroup.cpu.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.some.total\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.cpu.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.memory.mem.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.mem.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.low.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.high.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.memory.memsw.max.bytes\":{\"id\":\"bytes\"},\"system.process.cgroup.io.pressure.full.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.60.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.full.300.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.10.pct\":{\"id\":\"percent\"},\"system.process.cgroup.io.pressure.some.60.pct\":{\"id\":\"percent\"},\"system.socket.summary.tcp.memory\":{\"id\":\"bytes\"},\"system.socket.summary.udp.memory\":{\"id\":\"bytes\"},\"system.fsstat.total_size.free\":{\"id\":\"bytes\"},\"system.fsstat.total_size.used\":{\"id\":\"bytes\"},\"system.fsstat.total_size.total\":{\"id\":\"bytes\"},\"system.memory.total\":{\"id\":\"bytes\"},\"system.memory.used.bytes\":{\"id\":\"bytes\"},\"system.memory.free\":{\"id\":\"bytes\"},\"system.memory.used.pct\":{\"id\":\"percent\"},\"system.memory.actual.used.bytes\":{\"id\":\"bytes\"},\"system.memory.actual.free\":{\"id\":\"bytes\"},\"system.memory.actual.used.pct\":{\"id\":\"percent\"},\"system.memory.swap.total\":{\"id\":\"bytes\"},\"system.memory.swap.used.bytes\":{\"id\":\"bytes\"},\"system.memory.swap.free\":{\"id\":\"bytes\"},\"system.memory.swap.used.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.pgscan_kswapd.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgscan_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgfree.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_kswapd.pages\":{\"id\":\"number\"},\"system.memory.page_stats.pgsteal_direct.pages\":{\"id\":\"number\"},\"system.memory.page_stats.direct_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.page_stats.kswapd_efficiency.pct\":{\"id\":\"percent\"},\"system.memory.hugepages.total\":{\"id\":\"number\"},\"system.memory.hugepages.used.bytes\":{\"id\":\"bytes\"},\"system.memory.hugepages.used.pct\":{\"id\":\"percent\"},\"system.memory.hugepages.free\":{\"id\":\"number\"},\"system.memory.hugepages.reserved\":{\"id\":\"number\"},\"system.memory.hugepages.surplus\":{\"id\":\"number\"},\"system.memory.hugepages.default_size\":{\"id\":\"bytes\"},\"host.network.in.bytes\":{\"id\":\"bytes\"},\"host.network.out.bytes\":{\"id\":\"bytes\"},\"system.network.out.bytes\":{\"id\":\"bytes\"},\"system.network.in.bytes\":{\"id\":\"bytes\"},\"system.uptime.duration.ms\":{\"id\":\"duration\"},\"event.sequence\":{\"id\":\"string\"},\"event.severity\":{\"id\":\"string\"}}", "fields": "[{\"name\":\"cloud.account.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.availability_zone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.instance.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.machine.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.region\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.project.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"cloud.image.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.image.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.labels\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"container.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.hostname\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.family\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.kernel\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.name.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.platform\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.containerized\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.build\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.codename\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"data_stream.namespace\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"@timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.acked\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.active\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.batches\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.duplicates\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.failed\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.toomany\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.events.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.write.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.process\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.snapshot\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic_agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.value\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.user.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.system.time.ms\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.open\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.limit.soft\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.fd.limit.hard\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.quota.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.cfs.shares\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.rt.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.rt.runtime.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.percpu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.usage.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.kmem_tcp.failures\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.active_anon.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.active_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.cache.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.inactive_anon.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.inactive_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.mapped_file.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.page_faults\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.major_page_faults\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.pages_in\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.pages_out\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.rss.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.rss_huge.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.swap.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.unevictable.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.total.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.blkio.total.ios\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.host\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.uuid\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.beat.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.cpu.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.15\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.system.load.norm.5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.system.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.value\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.total.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cpu.user.time.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.info.ephemeral_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.info.uptime.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.cfs.period.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.cfs.quota.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.throttled.periods\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpu.stats.throttled.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpuacct.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.cpuacct.total.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.mem.limit.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.cgroup.memory.mem.usage.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.gc_next\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.memory.alloc\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.memory.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.memstats.rss\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.open\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.limit.hard\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.handles.limit.soft\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.uptime.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.runtime.goroutines\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.clients\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.queue.acked\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.active\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.failed\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.filtered\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.published\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.retry\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.pipeline.events.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.running\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.starts\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.config.stops\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"beat.stats.libbeat.output.read.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.module\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.dataset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.cpu.usage\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.disk.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.disk.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.egress.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.egress.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.ingress.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.ingress.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.nice.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.nice.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.idle.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.idle.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.iowait.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.iowait.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.irq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.irq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.softirq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.softirq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.steal.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.core.steal.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.serial_number\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.read.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.write.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.io.time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.request.merges_per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.request.merges_per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.request.per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.request.per_sec\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.per_sec.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.read.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.per_sec.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.write.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.request.avg_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.queue.avg_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.await\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.service_time\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.diskio.iostat.busy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.cpu.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.user.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.system.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.nice.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.idle.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.iowait.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.irq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.softirq.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.cpu.steal.ticks\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.available\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.device_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.mount_point\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.free_files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.filesystem.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.cpu.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.cpu.start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.memory.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.digest_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.args_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.digest_algorithm\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.exists\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.signing_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.subject_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.team_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.timestamp\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.trusted\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.code_signature.valid\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.command_line\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.byte_order\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.cpu_type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.creation_date\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.exports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.abi_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.class\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.data\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.entrypoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.object_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.os_abi\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.header.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.imports\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.chi2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.entropy\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.flags\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.physical_offset\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.physical_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.virtual_address\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.sections.virtual_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments.sections\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.segments.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.shared_libraries\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.elf.telfhash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.entity_id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.executable\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.exit_code\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.md5\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha1\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.sha512\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.hash.ssdeep\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.parent.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.architecture\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.company\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.description\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.file_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.imphash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.original_file_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pe.product\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pgid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.pid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.ppid\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.id\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.thread.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.title\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.uptime\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"process.working_directory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.changes.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.effective.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"user.target.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cmdline\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.env\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cpu.start_time\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.rss.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.rss.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.memory.share\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cgroups_version\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.usage.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.ns\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.stats.throttled.us\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.some.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpu.pressure.full.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.total.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.user.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.cpuacct.stats.system.norm.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.low.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.high.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.low\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.high\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.max\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.oom\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.oom_kill\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.mem.events.fail\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.low.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.high.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.max.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.low\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.high\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.max\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.oom\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.oom_kill\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.memsw.events.fail\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.memory.stats.*.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.path\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*.bytes\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.stats.*.*.ios\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.full.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.10.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.60.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.300.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.cgroup.io.pressure.some.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.address\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.number\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.as.organization.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.city_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.continent_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.country_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.location\",\"type\":\"geo_point\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.postal_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_iso_code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.region_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.geo.timezone\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.mac\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.ip\",\"type\":\"ip\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.nat.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.port\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.registered_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.subdomain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.top_level_domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.email\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.full_name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.domain\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.group.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"source.user.roles\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.all.listening\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.orphan\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.listening\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.established\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.close_wait\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.time_wait\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.syn_sent\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.syn_recv\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.fin_wait1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.fin_wait2\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.last_ack\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.tcp.all.closing\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.udp.memory\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.socket.summary.udp.all.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_files\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.used\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.fsstat.total_size.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.actual.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.out.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.in.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.readahead.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.readahead.cached\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.swap.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgscan_kswapd.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgscan_direct.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgfree.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgsteal_kswapd.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.pgsteal_direct.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.direct_efficiency.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.page_stats.kswapd_efficiency.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.used.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.used.pct\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.reserved\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.surplus\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.default_size\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.swap.out.pages\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.memory.hugepages.swap.out.fallback\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.running\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.idle\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.sleeping\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.stopped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.zombie\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.dead\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.process.summary.unknown\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.in.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.in.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.out.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.network.out.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.packets\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.errors\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.in.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.network.out.dropped\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.uptime.duration.ms\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.5\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.15\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.1\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.5\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.norm.15\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"system.load.cores\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.capabilities\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":false},{\"name\":\"Endpoint.configuration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.configuration.isolation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.state\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.state.isolation\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"ecs.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"elastic.agent.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.action\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.category\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.code\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.created\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.hash\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.id\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.ingested\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.kind\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.outcome\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.provider\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.sequence\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.severity\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.type\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.Ext.variant\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"host.os.full.text\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":false,\"readFromDocValues\":true},{\"name\":\"host.os.name.caseless\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.histogram\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.latest\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.cpu.endpoint.mean\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.disks.device\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.endpoint_drive\",\"type\":\"boolean\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.free\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.fstype\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.mount\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.disks.total\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.file_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.library_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.network_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.overall.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.process_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.sent_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.sent_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.suppressed_bytes\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.documents_volume.registry_events.suppressed_count\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private.latest\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.memory.endpoint.private.mean\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.system_impact\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.threads\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.metrics.uptime\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.uptime.endpoint\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.metrics.uptime.system\",\"type\":\"number\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.end\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"event.start\",\"type\":\"date\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.message\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.actions.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.artifacts.global\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.global.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.name\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.identifiers.sha256\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.artifacts.user.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.endpoint_policy_version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.antivirus_registration.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.behavior_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.behavior_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.events.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.host_isolation.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.logging.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.malware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.memory_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.ransomware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.ransomware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.configurations.streaming.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":false,\"searchable\":false,\"aggregatable\":false,\"readFromDocValues\":false},{\"name\":\"Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.behavior_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.credential_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.credential_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.malware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.malware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_protection.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_scan.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.memory_scan.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.ransomware.concerned_actions\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.response.diagnostic.ransomware.status\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"Endpoint.policy.applied.version\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true},{\"name\":\"agent.build.original\",\"type\":\"string\",\"count\":0,\"scripted\":false,\"indexed\":true,\"searchable\":true,\"aggregatable\":true,\"readFromDocValues\":true}]", "timeFieldName": "@timestamp", "title": "metrics-*"}, "coreMigrationVersion": "7.16.2", "id": "metrics-*", "migrationVersion": {"index-pattern": "7.11.0"}, "references": [], "sort": [1643385898421, 2830], "type": "index-pattern", "updated_at": "2022-01-28T16:04:58.421Z", "version": "WzE0NDc2LDE1XQ=="} +{"excludedObjects": [], "excludedObjectsCount": 0, "exportedCount": 823, "missingRefCount": 1, "missingReferences": [{"id": "0b963f20-6f9c-11ec-864c-8b5450f97635", "type": "tag"}]} From b7ad4e0570e3d4ba1d6662fae84c736195bb0895 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 15 Feb 2023 14:19:29 -0500 Subject: [PATCH 106/470] Change default data view from 'so-*' to 'logs-*' --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 3ac67ed27..dce56b582 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From dcbf5a2fa607c433a6d0a6bb61ac9cbdd8ca5a6f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 16 Feb 2023 10:55:32 -0500 Subject: [PATCH 107/470] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7f2e97617..197c4d5c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-kilo +2.4.0 From 79041d091ea98470edafdd47bcc454ba37eeafa2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 16 Feb 2023 13:22:13 -0500 Subject: [PATCH 108/470] influx upgrade --- salt/common/tools/sbin/so-influxdb-manage | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/tools/sbin/so-influxdb-manage b/salt/common/tools/sbin/so-influxdb-manage index 907e0342c..b22d63bb6 100644 --- a/salt/common/tools/sbin/so-influxdb-manage +++ b/salt/common/tools/sbin/so-influxdb-manage @@ -128,7 +128,6 @@ lookup_org_id_with_wait() { wait=10 while [[ $attempts -lt $max_attempts ]]; do response=$(request orgs?org=Security+Onion) - check_response "$response" oid=$(echo "$response" | jq -r ".orgs[] | select(.name == \"Security Onion\").id") if [[ -z $oid ]]; then attempts=$((attempts+1)) From 59b1af15dbfe0265dae8b182185a95232bce3c01 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 16 Feb 2023 13:49:19 -0500 Subject: [PATCH 109/470] correct top order for import --- salt/top.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 5745b02db..3c4401478 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -318,9 +318,9 @@ base: - sensoroni - manager - nginx - - soc - - influxdb - telegraf + - influxdb + - soc - kratos - firewall - idstools From 405060674c6becad98532a8f3f849bdcc1e28a23 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Feb 2023 17:49:07 -0500 Subject: [PATCH 110/470] Salt 3006 temp --- setup/so-functions | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ad93bc5ba..e71caa0a1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -617,7 +617,8 @@ configure_minion() { sed -i "s/{{ GLOBALS.main_interface }}/$MNIC/" /etc/salt/minion.d/mine_functions.conf { - systemctl restart salt-minion; + logCmd "systemctl enable salt-minion"; + logCmd "systemctl restart salt-minion"; } >> "$setup_log" 2>&1 } @@ -817,10 +818,10 @@ copy_salt_master_config() { title "Copy the Salt master config template to the proper directory" if [ "$setup_type" = 'iso' ]; then logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master" - logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" + #logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" else logCmd "cp ../files/salt/master/master /etc/salt/master" - logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" + #logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" @@ -830,6 +831,7 @@ copy_salt_master_config() { # Restart the service so it picks up the changes logCmd "systemctl daemon-reload" + logCmd "systemctl enable salt-master" logCmd "systemctl restart salt-master" } @@ -2008,16 +2010,17 @@ saltify() { fi - if [[ $is_centos ]]; then + if [[ $is_rocky ]]; then RUSALTY=$(rpm -qa | grep salt-minion | wc -l) if [[ "$RUSALTY" -gt 0 ]]; then # Salt is already installed. info "salt is installed" else - # Install salt + # THIS IS A TEMP HACK + logCmd "dnf -y install securityonion-salt" if [[ $waitforstate ]]; then # Since this is a salt master so let's install it - logCmd "dnf -y install salt-minion salt-master" + logCmd "" else # We just need the minion logCmd "dnf -y install salt-minion" From dfa5503e4179b69c4f1d6d13abdfae09fe38f0f4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 17 Feb 2023 07:06:36 -0500 Subject: [PATCH 111/470] UPGRADE: Elastic 8.6.2 #9804 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index dce56b582..cc25b61e4 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.1","id": "8.6.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From ef3abe158c5952adcb2581ca627ca712e87d6044 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 17 Feb 2023 07:07:20 -0500 Subject: [PATCH 112/470] UPGRADE: Elastic 8.6.2 #9804 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 2a4e85b9d..63ad170f2 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 353b77cd5948c628b8d37f11adecad5726b964e2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 10:40:43 -0500 Subject: [PATCH 113/470] add minions.d dir --- salt/common/packages.sls | 3 --- setup/so-functions | 5 ++++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 0bb36d07f..006e33c3e 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -45,13 +45,10 @@ commonpkgs: - createrepo - python3-lxml - python3-packaging - - python3-watchdog - - yum-utils - device-mapper-persistent-data - lvm2 - openssl - git - - vim-enhanced - python3-docker {% else %} commonpkgs: diff --git a/setup/so-functions b/setup/so-functions index e71caa0a1..0b4ba9fa1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1965,7 +1965,9 @@ repo_sync_local() { # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" - + # Run it again and make sure we got allt he things + logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + # After the download is complete run createrepo create_repo @@ -2018,6 +2020,7 @@ saltify() { else # THIS IS A TEMP HACK logCmd "dnf -y install securityonion-salt" + logCmd "mkdir -p /etc/salt/minion.d" if [[ $waitforstate ]]; then # Since this is a salt master so let's install it logCmd "" From 8b680693f4a38313184088de1cc957fe7ba48972 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 11:01:17 -0500 Subject: [PATCH 114/470] remove patch pkg and patching of influx --- salt/common/tools/sbin/soup | 9 ----- salt/influxdb/init.sls | 3 -- salt/salt/helper-packages.sls | 3 -- salt/salt/minion.sls | 21 ---------- salt/salt/python3-influxdb.sls | 70 ---------------------------------- setup/so-functions | 4 -- setup/so-setup | 1 - 7 files changed, 111 deletions(-) delete mode 100644 salt/salt/helper-packages.sls delete mode 100644 salt/salt/python3-influxdb.sls diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6bdd49661..1ee166657 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1026,8 +1026,6 @@ upgrade_salt() { else echo "Salt upgrade success." echo "" - echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again." - rm -vrf /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdb_retention_policy.py.patched /opt/so/state/influxdbmod.py.patched fi } @@ -1138,9 +1136,7 @@ fix_wazuh() { # Update the repo files so it can actually upgrade upgrade_salt fi - rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched systemctl_func "start" "salt-master" - salt-call state.apply salt.python3-influxdb -l info systemctl_func "start" "salt-minion" systemctl_func "start" "$cron_service_name" @@ -1309,11 +1305,6 @@ main() { salt-call state.show_top -l error queue=True || fail "salt-master could not be reached. Check $SOUP_LOG for details." set -e - echo "" - echo "Ensuring python modules for Salt are installed and patched." - salt-call state.apply salt.python3-influxdb -l info queue=True - echo "" - # update the salt-minion configs here and start the minion # since highstate are disabled above, minion start should not trigger a highstate echo "" diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 4fe625209..6baabd047 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -14,7 +14,6 @@ include: - salt.minion - - salt.python3-influxdb - ssl # Influx DB @@ -111,7 +110,6 @@ telegraf_database: - influxdb_host: {{ GLOBALS.manager }} - require: - docker_container: so-influxdb - - sls: salt.python3-influxdb - http: wait_for_influxdb {% for rp in influxdb.retention_policies.keys() %} @@ -131,7 +129,6 @@ telegraf_database: - docker_container: so-influxdb - influxdb_database: telegraf_database - file: influxdb_retention_policy.present_patch - - sls: salt.python3-influxdb {% endfor %} {% for dest_rp in influxdb.downsample.keys() %} diff --git a/salt/salt/helper-packages.sls b/salt/salt/helper-packages.sls deleted file mode 100644 index 32480c163..000000000 --- a/salt/salt/helper-packages.sls +++ /dev/null @@ -1,3 +0,0 @@ -patch_package: - pkg.installed: - - name: patch diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 50bb865df..5e06a361f 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -10,7 +10,6 @@ include: - salt - - salt.helper-packages - systemd.reload - repo.client @@ -34,21 +33,6 @@ install_salt_minion: exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & - {# if we are the salt master #} - {% if grains.id.split('_')|first == grains.master %} -remove_influxdb_continuous_query_state_file: - file.absent: - - name: /opt/so/state/influxdb_continuous_query.py.patched - -remove_influxdbmod_state_file: - file.absent: - - name: /opt/so/state/influxdbmod.py.patched - -remove_influxdb_retention_policy_state_file: - file.absent: - - name: /opt/so/state/influxdb_retention_policy.py.patched - {% endif %} - {% endif %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} @@ -115,8 +99,3 @@ salt_minion_service: - file: salt_minion_service_unit_file {% endif %} - order: last - - -patch_pkg: - pkg.installed: - - name: patch diff --git a/salt/salt/python3-influxdb.sls b/salt/salt/python3-influxdb.sls deleted file mode 100644 index 7a59c4303..000000000 --- a/salt/salt/python3-influxdb.sls +++ /dev/null @@ -1,70 +0,0 @@ -{% from "salt/map.jinja" import SALT_STATE_CODE_PATH with context %} -{% from "salt/map.jinja" import SALT_MODULE_CODE_PATH with context %} -{% from "salt/map.jinja" import PYTHON3INFLUX with context %} -{% from "salt/map.jinja" import PYTHON3INFLUXDEPS with context %} -{% from "salt/map.jinja" import PYTHONINSTALLER with context %} - -include: - - salt.helper-packages - -python3_influxdb_dependencies: - {{PYTHONINSTALLER}}.installed: - - pkgs: {{ PYTHON3INFLUXDEPS }} - -python3_influxdb: - {{PYTHONINSTALLER}}.installed: - - name: {{ PYTHON3INFLUX }} - -# We circumvent the file.patch state putting ERROR in the log by using the unless and file.touch below -# https://github.com/saltstack/salt/pull/47010 and https://github.com/saltstack/salt/issues/52329 - -#https://github.com/saltstack/salt/issues/59766 -influxdb_continuous_query.present_patch: - file.patch: - - name: {{ SALT_STATE_CODE_PATH }}/influxdb_continuous_query.py - - source: salt://salt/files/influxdb_continuous_query.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdb_continuous_query.py.patched - -influxdb_continuous_query.py.patched: - file.touch: - - name: /opt/so/state/influxdb_continuous_query.py.patched - - onchanges: - - file: influxdb_continuous_query.present_patch - -#https://github.com/saltstack/salt/issues/59761 -influxdb_retention_policy.present_patch: - file.patch: - - name: {{ SALT_STATE_CODE_PATH }}/influxdb_retention_policy.py - - source: salt://salt/files/influxdb_retention_policy.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdb_retention_policy.py.patched - -influxdb_retention_policy.py.patched: - file.touch: - - name: /opt/so/state/influxdb_retention_policy.py.patched - - onchanges: - - file: influxdb_retention_policy.present_patch - -# We should be able to set reload_modules: True in this state in order to tell salt to reload its python modules due to us possibly installing -# and possibly modifying modules in this state. This is bugged according to https://github.com/saltstack/salt/issues/24925 -influxdbmod.py_shard_duration_patch: - file.patch: - - name: {{ SALT_MODULE_CODE_PATH }}/influxdbmod.py - - source: salt://salt/files/influxdbmod.py.patch - - require: - - {{PYTHONINSTALLER}}: python3_influxdb - - pkg: patch_package - - unless: ls /opt/so/state/influxdbmod.py.patched - -influxdbmod.py.patched: - file.touch: - - name: /opt/so/state/influxdbmod.py.patched - - onchanges: - - file: influxdbmod.py_shard_duration_patch - - diff --git a/setup/so-functions b/setup/so-functions index 0b4ba9fa1..a0ee4c0d5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1795,10 +1795,6 @@ reinstall_init() { # Backup /opt/so since we'll be rebuilding this directory during setup backup_dir /opt/so "$date_string" - # We need to restore these files during a reinstall so python3-influxdb state doesn't try to patch again - restore_file "/opt/so_old_$date_string/state/influxdb_continuous_query.py.patched" "/opt/so/state/" - restore_file "/opt/so_old_$date_string/state/influxdb_retention_policy.py.patched" "/opt/so/state/" - restore_file "/opt/so_old_$date_string/state/influxdbmod.py.patched" "/opt/so/state/" # If the elastic license has been accepted restore the state file restore_file "/opt/so_old_$date_string/state/yeselastic.txt" "/opt/so/state/" diff --git a/setup/so-setup b/setup/so-setup index 9ecbed08c..9448a4011 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -577,7 +577,6 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.show_top" logCmd "salt-key -ya $MINION_ID" - logCmd "salt-call state.apply salt.helper-packages" logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" logCmd "salt-call state.apply docker" From 54fc07b5b8f30d82edea6139f77456e1b6ddbeab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:07:44 -0500 Subject: [PATCH 115/470] yum-utils --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a0ee4c0d5..84d61a63c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1949,11 +1949,11 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf - REPOSYNC=$(rpm -qa | grep createrepo | wc -l) + REPOSYNC=$(rpm -qa | grep yum-utils | wc -l) if [[ ! "$REPOSYNC" -gt 0 ]]; then # Install reposync - info "Installing createrepo" - logCmd "dnf -y install -c /root/repodownload.conf createrepo" + info "Installing yum-utils" + logCmd "dnf -y install -c /root/repodownload.conf yum-utils" else info "We have what we need to sync" fi From 0a7ad4d2117b9bd63ad43c98672f10ce97b09865 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:16:02 -0500 Subject: [PATCH 116/470] yum-utils --- salt/common/packages.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 006e33c3e..a47cf5a42 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -42,7 +42,7 @@ commonpkgs: - mariadb-devel - python3-dnf-plugin-versionlock - nmap-ncat - - createrepo + - yum-utils - python3-lxml - python3-packaging - device-mapper-persistent-data From d8e85cbc28d7aee6d2b431caf3fffb8a2f33c9a7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 11:20:16 -0500 Subject: [PATCH 117/470] change salt version --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 3e3510c8c..b4d80c476 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004.2 + version: 3006.0+0na.61a7bd9 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index e4ffe5fcb..4021d0e31 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004.2 + version: 3006 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From c6919a09da31eb1574876b8b02be30c3cf5c4c0f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:26:11 -0500 Subject: [PATCH 118/470] replace centos --- salt/_modules/needs_restarting.py | 2 +- salt/allowed_states.map.jinja | 2 +- salt/common/init.sls | 2 +- salt/common/tools/sbin/so-analyst-install | 10 +++++----- salt/mysql/init.sls | 2 +- salt/repo/client/map.jinja | 18 +++++++++--------- salt/salt/init.sls | 8 +------- salt/salt/map.jinja | 2 +- salt/ssl/init.sls | 2 +- salt/top.sls | 6 +++--- salt/workstation/packages.sls | 2 +- salt/workstation/remove_gui.sls | 2 +- salt/workstation/trusted-ca.sls | 2 +- salt/workstation/xwindows.sls | 2 +- setup/so-functions | 2 +- 15 files changed, 29 insertions(+), 35 deletions(-) diff --git a/salt/_modules/needs_restarting.py b/salt/_modules/needs_restarting.py index 5afb6f02a..8f5b50242 100644 --- a/salt/_modules/needs_restarting.py +++ b/salt/_modules/needs_restarting.py @@ -10,7 +10,7 @@ def check(): if path.exists('/var/run/reboot-required'): retval = 'True' - elif os == 'CentOS': + elif os == 'Rocky': cmd = 'needs-restarting -r > /dev/null 2>&1' try: diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 823b7b647..38f790053 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -262,7 +262,7 @@ {% do allowed_states.append('redis') %} {% endif %} - {% if grains.os == 'CentOS' %} + {% if grains.os == 'Rocky' %} {% if not ISAIRGAP %} {% do allowed_states.append('yum') %} {% endif %} diff --git a/salt/common/init.sls b/salt/common/init.sls index ea943ce4b..21c4ce369 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -235,7 +235,7 @@ soversionfile: {% endif %} {% if GLOBALS.so_model %} - {% if GLOBALS.os == 'CentOS' %} + {% if GLOBALS.os == 'Rocky' %} # Install Raid tools raidpkgs: pkg.installed: diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index f4eef07fa..4949989b0 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -6,8 +6,8 @@ # Elastic License 2.0. -{# we only want the script to install the workstation if it is CentOS -#} -{% if grains.os == 'CentOS' -%} +{# we only want the script to install the workstation if it is Rocky -#} +{% if grains.os == 'Rocky' -%} {# if this is a manager -#} {% if grains.master == grains.id.split('_')|first -%} @@ -80,12 +80,12 @@ echo "Since this is not a manager, the pillar values to enable analyst workstati {#- endif if this is a manager #} {% endif -%} -{#- if not CentOS #} +{#- if not Rocky #} {%- else %} -echo "The Analyst Workstation can only be installed on CentOS. Please view the documentation at $doc_workstation_url." +echo "The Analyst Workstation can only be installed on Rocky. Please view the documentation at $doc_workstation_url." -{#- endif grains.os == CentOS #} +{#- endif grains.os == Rocky #} {% endif -%} exit 0 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index b2c4a2119..7287eb00d 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -14,7 +14,7 @@ mysqlpkgs: pkg.installed: - skip_suggestions: False - pkgs: - {% if grains['os'] != 'CentOS' %} + {% if grains['os'] != 'Rocky' %} {% if grains['oscodename'] == 'bionic' %} - python3-mysqldb {% elif grains['oscodename'] == 'focal' %} diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index abf824aeb..1e5d9351f 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -1,16 +1,16 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os == 'CentOS' %} +{% if GLOBALS.os == 'Rocky' %} {% set REPOPATH = '/etc/yum.repos.d/' %} {% set ABSENTFILES = [ - 'CentOS-Base.repo', - 'CentOS-CR.repo', - 'CentOS-Debuginfo.repo', - 'CentOS-fasttrack.repo', - 'CentOS-Media.repo', - 'CentOS-Sources.repo', - 'CentOS-Vault.repo', - 'CentOS-x86_64-kernel.repo', + 'Rocky-Base.repo', + 'Rocky-CR.repo', + 'Rocky-Debuginfo.repo', + 'Rocky-fasttrack.repo', + 'Rocky-Media.repo', + 'Rocky-Sources.repo', + 'Rocky-Vault.repo', + 'Rocky-x86_64-kernel.repo', 'docker-ce.repo', 'epel.repo', 'epel-testing.repo', diff --git a/salt/salt/init.sls b/salt/salt/init.sls index 7a553ac51..da66e100e 100644 --- a/salt/salt/init.sls +++ b/salt/salt/init.sls @@ -1,6 +1,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.os != 'CentOS' %} +{% if GLOBALS.os != 'Rocky' %} saltpymodules: pkg.installed: - pkgs: @@ -18,9 +18,3 @@ salt_bootstrap: - name: /usr/sbin/bootstrap-salt.sh - source: salt://salt/scripts/bootstrap-salt.sh - mode: 755 - -{% if GLOBALS.os == 'CentOS' %} -remove_salt-2019-2-5.repo: - file.absent: - - name: /etc/yum.repos.d/salt-2019-2-5.repo -{% endif %} diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 389a95607..d9f206fed 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -28,7 +28,7 @@ {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} {% if grains.saltversion|string != SALTVERSION|string %} - {% if grains.os|lower in ['centos', 'redhat'] %} + {% if grains.os|lower in ['Rocky', 'redhat'] %} {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% elif grains.os|lower == 'ubuntu' %} {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 855a4a3ea..c251a706a 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -41,7 +41,7 @@ trusttheca: - name: /etc/ssl/certs/intca.crt - text: {{ trusttheca_text }} -{% if grains['os'] != 'CentOS' %} +{% if grains['os'] != 'Rocky' %} # Install packages needed for the sensor m2cryptopkgs: pkg.installed: diff --git a/salt/top.sls b/salt/top.sls index 4b8531f4d..f0b60deb5 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -29,7 +29,7 @@ base: - salt.minion-state-apply-test - salt.minion - 'G@os:CentOS and G@saltversion:{{saltversion}}': + 'G@os:Rocky and G@saltversion:{{saltversion}}': - match: compound - yum.packages @@ -377,10 +377,10 @@ base: {%- endif %} - idh - 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': + 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': - match: compound - workstation - 'J@workstation:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': + 'J@workstation:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': - match: compound - workstation.remove_gui diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls index b63762a2c..6b9b9c689 100644 --- a/salt/workstation/packages.sls +++ b/salt/workstation/packages.sls @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'CentOS' %} +{% if GLOBALS.os == 'Rocky' %} xwindows_group: pkg.group_installed: diff --git a/salt/workstation/remove_gui.sls b/salt/workstation/remove_gui.sls index 0eefc9462..363b8c433 100644 --- a/salt/workstation/remove_gui.sls +++ b/salt/workstation/remove_gui.sls @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'CentOS' %} +{% if GLOBALS.os == 'Rocky' %} remove_graphical_target: file.symlink: diff --git a/salt/workstation/trusted-ca.sls b/salt/workstation/trusted-ca.sls index fcdf7cffc..a8d48c046 100644 --- a/salt/workstation/trusted-ca.sls +++ b/salt/workstation/trusted-ca.sls @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'CentOS' %} +{% if GLOBALS.os == 'Rocky' %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} diff --git a/salt/workstation/xwindows.sls b/salt/workstation/xwindows.sls index bcd543868..d8fb53976 100644 --- a/salt/workstation/xwindows.sls +++ b/salt/workstation/xwindows.sls @@ -1,7 +1,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {# we only want this state to run it is CentOS #} -{% if GLOBALS.os == 'CentOS' %} +{% if GLOBALS.os == 'Rocky' %} include: - workstation.packages diff --git a/setup/so-functions b/setup/so-functions index 84d61a63c..085621acd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2150,7 +2150,7 @@ set_proxy() { "}" > /root/.docker/config.json # Set proxy for package manager - if [[ $is_centos ]]; then + if [[ $is_rocky ]]; then echo "proxy=$so_proxy" >> /etc/yum.conf else # Set it up so the updates roll through the manager From 43c177727cb18421a2714382a33451814a243438 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:32:05 -0500 Subject: [PATCH 119/470] replace centos --- salt/common/packages.sls | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index a47cf5a42..2bf13692d 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -43,44 +43,9 @@ commonpkgs: - python3-dnf-plugin-versionlock - nmap-ncat - yum-utils - - python3-lxml - - python3-packaging - device-mapper-persistent-data - lvm2 - openssl - git - python3-docker -{% else %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - wget - - ntpdate - - bind-utils - - jq - - tcpdump - - httpd-tools - - net-tools - - curl - - sqlite - - mariadb-devel - - nmap-ncat - - python3 - - python36-packaging - - python36-lxml - - python36-docker - - python36-dateutil - - python36-m2crypto - - python36-mysql - - python36-packaging - - python36-lxml - - securityonion-python36-watchdog - - yum-utils - - device-mapper-persistent-data - - lvm2 - - openssl - - git - - vim-enhanced - - yum-plugin-versionlock {% endif %} From ba9c52db377c449d70828ae1c0c866124364eeaa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:37:28 -0500 Subject: [PATCH 120/470] replace centos --- salt/common/packages.sls | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 2bf13692d..72f665149 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -47,5 +47,16 @@ commonpkgs: - lvm2 - openssl - git +rockypythonpacks: + pkg.installed: + - skip_suggestions: True + - pkgs: - python3-docker + -pkg_verify: + - ignore_types: + - config + - doc + - verify_options: + - nodeps + - nofiledigest {% endif %} From e7f35673e0d10cbb9047435399047ab72234fbe0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 11:38:50 -0500 Subject: [PATCH 121/470] replace centos --- salt/common/packages.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 72f665149..dabf59eef 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -52,7 +52,7 @@ rockypythonpacks: - skip_suggestions: True - pkgs: - python3-docker - -pkg_verify: + - pkg_verify: - ignore_types: - config - doc From 4bb49ad617d0d823c3ce55c58f924ffc1b644fac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:11:13 -0500 Subject: [PATCH 122/470] add some deps --- setup/so-functions | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 085621acd..ba00ea5b7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2009,21 +2009,15 @@ saltify() { fi if [[ $is_rocky ]]; then - RUSALTY=$(rpm -qa | grep salt-minion | wc -l) - if [[ "$RUSALTY" -gt 0 ]]; then - # Salt is already installed. - info "salt is installed" + # THIS IS A TEMP HACK + logCmd "dnf -y install securityonion-salt python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python36-docker" + logCmd "mkdir -p /etc/salt/minion.d" + if [[ $waitforstate ]]; then + # Since this is a salt master so let's install it + logCmd "" else - # THIS IS A TEMP HACK - logCmd "dnf -y install securityonion-salt" - logCmd "mkdir -p /etc/salt/minion.d" - if [[ $waitforstate ]]; then - # Since this is a salt master so let's install it - logCmd "" - else - # We just need the minion - logCmd "dnf -y install salt-minion" - fi + # We just need the minion + logCmd "dnf -y install salt-minion" fi fi From e3e8d301615674e1d42b5b1cde882a5ec13038d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:17:57 -0500 Subject: [PATCH 123/470] fix python docker name --- setup/so-functions | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ba00ea5b7..b25561729 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -877,6 +877,7 @@ create_manager_pillars() { create_repo() { title "Create the repo directory" + logCmd "dnf -y install yum-utils" logCmd "createrepo /nsm/repo" } @@ -1949,14 +1950,6 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf - REPOSYNC=$(rpm -qa | grep yum-utils | wc -l) - if [[ ! "$REPOSYNC" -gt 0 ]]; then - # Install reposync - info "Installing yum-utils" - logCmd "dnf -y install -c /root/repodownload.conf yum-utils" - else - info "We have what we need to sync" - fi dnf repolist # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" @@ -1964,7 +1957,6 @@ repo_sync_local() { # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" - # After the download is complete run createrepo create_repo @@ -2010,7 +2002,7 @@ saltify() { if [[ $is_rocky ]]; then # THIS IS A TEMP HACK - logCmd "dnf -y install securityonion-salt python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python36-docker" + logCmd "dnf -y install securityonion-salt python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" logCmd "mkdir -p /etc/salt/minion.d" if [[ $waitforstate ]]; then # Since this is a salt master so let's install it From ba5b125952f42e59bc1914b58ae8a618d694e608 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 17 Feb 2023 13:25:01 -0500 Subject: [PATCH 124/470] Update minion.defaults.yaml --- salt/salt/minion.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 4021d0e31..7bbd569c6 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3006 + version: 3006.0+0na.61a7bd9 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From 12398bdf24017b349135fa8f22527496eb79bb95 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:34:21 -0500 Subject: [PATCH 125/470] add m2crypto --- salt/ssl/init.sls | 6 ------ 1 file changed, 6 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index c251a706a..bf31fff27 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -41,18 +41,12 @@ trusttheca: - name: /etc/ssl/certs/intca.crt - text: {{ trusttheca_text }} -{% if grains['os'] != 'Rocky' %} # Install packages needed for the sensor m2cryptopkgs: pkg.installed: - skip_suggestions: False - pkgs: - {% if grains['oscodename'] == 'bionic' %} - - python-m2crypto - {% elif grains['oscodename'] == 'focal' %} - python3-m2crypto - {% endif %} -{% endif %} influxdb_key: x509.private_key_managed: From bcf1fe8dadaafd6f235c3d922c48a0a2f544c831 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:48:10 -0500 Subject: [PATCH 126/470] fix reposync script --- salt/common/tools/sbin/so-repo-sync | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 67adb46ff..4a9cc3b18 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -12,5 +12,5 @@ set_os salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup" -reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/" - \ No newline at end of file +reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ +crete_repo /nsm/repo \ No newline at end of file From c6cbb4857d6d1df70bf73ffc3dd3e4d89243a4f0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:53:36 -0500 Subject: [PATCH 127/470] add rsync --- salt/common/packages.sls | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index dabf59eef..5bbf3b9f6 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -47,16 +47,6 @@ commonpkgs: - lvm2 - openssl - git -rockypythonpacks: - pkg.installed: - - skip_suggestions: True - - pkgs: - python3-docker - - pkg_verify: - - ignore_types: - - config - - doc - - verify_options: - - nodeps - - nofiledigest + - rsync {% endif %} From c6266e9f91ab32ffcfa71867cf6bf594ec3ad9e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:54:46 -0500 Subject: [PATCH 128/470] add m2crypto --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 5bbf3b9f6..9fd9f4e51 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -48,5 +48,6 @@ commonpkgs: - openssl - git - python3-docker + - python3-m2crypto - rsync {% endif %} From b53aa08eeb279775d9d9badc6a9237be22ff6c4e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 13:58:45 -0500 Subject: [PATCH 129/470] remove grafana and filebeat --- salt/filebeat/defaults.yaml | 112 - salt/filebeat/etc/filebeat.yml | 674 ---- salt/filebeat/etc/module-setup.yml | 10 - salt/filebeat/etc/module_config.yml.jinja | 2 - salt/filebeat/init.sls | 162 - salt/filebeat/map.jinja | 15 - salt/filebeat/modules.map.jinja | 18 - salt/filebeat/pillar.example | 22 - salt/filebeat/securityoniondefaults.yaml | 30 - salt/filebeat/thirdpartydefaults.yaml | 261 -- .../dashboards/common_template.json.jinja | 64 - salt/grafana/etc/dashboards/dashboard.yml | 12 - salt/grafana/etc/datasources/influxdb.yaml | 17 - salt/grafana/etc/files/readme.txt | 1 - salt/grafana/etc/grafana.ini.jinja | 12 - salt/grafana/grafana_defaults.yaml | 3147 ----------------- salt/grafana/init.sls | 164 - ...u_docker_combined_current_graph.json.jinja | 223 -- ...cpu_docker_combined_trend_graph.json.jinja | 220 -- .../panels/cpu_usage_current_graph.json.jinja | 150 - .../grafana/panels/cpu_usage_guage.json.jinja | 126 - .../cpu_usage_tasks_all_graph.json.jinja | 193 - .../cpu_usage_tasks_blocked_graph.json.jinja | 124 - .../cpu_usage_tasks_paging_graph.json.jinja | 124 - .../cpu_usage_tasks_running_graph.json.jinja | 124 - .../cpu_usage_tasks_sleeping_graph.json.jinja | 124 - .../cpu_usage_tasks_stopped_graph.json.jinja | 124 - .../cpu_usage_tasks_unknown_graph.json.jinja | 124 - .../cpu_usage_tasks_zombies_graph.json.jinja | 124 - .../panels/disk_io_bytes_graph.json.jinja | 189 - .../panels/disk_io_requests_graph.json.jinja | 190 - .../panels/disk_io_time_graph.json.jinja | 189 - .../panels/disk_usage_nsm_graph.json.jinja | 211 -- .../disk_usage_nsm_percent_graph.json.jinja | 149 - .../panels/disk_usage_root_graph.json.jinja | 211 -- .../disk_usage_root_percent_graph.json.jinja | 149 - ...sticsearch_document_count_graph.json.jinja | 193 - ...rch_field_data_cache_size_graph.json.jinja | 191 - ..._ingest_performance_nontc_graph.json.jinja | 796 ----- ...rch_ingest_performance_tc_graph.json.jinja | 793 ----- ...earch_pipeline_time_nontc_graph.json.jinja | 153 - ...icsearch_pipeline_time_tc_graph.json.jinja | 129 - .../elasticsearch_store_size_graph.json.jinja | 195 - ...lasticsearch_thread_count_graph.json.jinja | 192 - .../panels/influxdb_db_size_graph.json.jinja | 191 - salt/grafana/panels/io_wait_graph.json.jinja | 148 - salt/grafana/panels/io_wait_stat.json.jinja | 125 - .../load_average_5_minute_stat.json.jinja | 118 - .../panels/load_averages_graph.json.jinja | 187 - ...gstash_eps_in_out_manager_graph.json.jinja | 403 --- ...logstash_estimated_eps_in_graph.json.jinja | 230 -- .../logstash_estimated_eps_in_stat.json.jinja | 136 - ...sh_estimated_eps_in_total_graph.json.jinja | 156 - ...ogstash_estimated_eps_out_graph.json.jinja | 230 -- ...logstash_estimated_eps_out_stat.json.jinja | 136 - ...h_estimated_eps_out_total_graph.json.jinja | 156 - ...ing_eps_in_out_searchnode_graph.json.jinja | 411 --- ...g_eps_in_searchnode_total_graph.json.jinja | 170 - ...anagement_interface_drops_graph.json.jinja | 282 -- ...t_interface_drops_inbound_graph.json.jinja | 142 - ..._interface_drops_outbound_graph.json.jinja | 142 - ...agement_interface_packets_graph.json.jinja | 283 -- ...nt_interface_traffic_both_graph.json.jinja | 409 --- ...interface_traffic_inbound_graph.json.jinja | 164 - ...nterface_traffic_outbound_graph.json.jinja | 162 - .../panels/memory_usage_graph.json.jinja | 208 -- .../memory_usage_percent_graph.json.jinja | 139 - ...d_docker_combined_current_graph.json.jinja | 143 - ...sed_docker_combined_trend_graph.json.jinja | 143 - .../monitor_interface_drops_graph.json.jinja | 282 -- ...r_interface_drops_inbound_graph.json.jinja | 125 - ...monitor_interface_packets_graph.json.jinja | 282 -- ...or_interface_traffic_both_graph.json.jinja | 276 -- ...interface_traffic_inbound_graph.json.jinja | 167 - ...ace_traffic_inbound_total_graph.json.jinja | 178 - .../monitor_interface_traffic_stat.json.jinja | 152 - ...e_docker_combined_current_graph.json.jinja | 232 -- ...age_docker_combined_trend_graph.json.jinja | 231 -- salt/grafana/panels/nsm_used_guage.json.jinja | 121 - .../panels/pcap_retention_stat.json.jinja | 113 - .../panels/process_status_graph.json.jinja | 203 -- .../grafana/panels/ram_usage_guage.json.jinja | 114 - .../panels/redis_queue_graph.json.jinja | 208 -- .../panels/redis_queue_stat.json.jinja | 95 - .../panels/rootfs_used_guage.json.jinja | 121 - salt/grafana/panels/row_cpu.json.jinja | 15 - salt/grafana/panels/row_disk_iops.json.jinja | 22 - salt/grafana/panels/row_disk_usage.json.jinja | 15 - .../panels/row_docker_details.json.jinja | 15 - .../panels/row_elasticsearch.json.jinja | 15 - salt/grafana/panels/row_influxdb.json.jinja | 15 - salt/grafana/panels/row_logstash.json.jinja | 15 - salt/grafana/panels/row_memory.json.jinja | 15 - salt/grafana/panels/row_network.json.jinja | 15 - salt/grafana/panels/row_overview.json.jinja | 15 - .../grafana/panels/row_packet_loss.json.jinja | 15 - salt/grafana/panels/row_redis.json.jinja | 15 - .../panels/row_stenographer.json.jinja | 15 - salt/grafana/panels/row_suricata.json.jinja | 15 - salt/grafana/panels/row_swap.json.jinja | 15 - salt/grafana/panels/row_zeek.json.jinja | 15 - .../stenographer_packet_loss_graph.json.jinja | 229 -- .../stenographer_packet_loss_stat.json.jinja | 114 - ...enographer_pcap_retention_graph.json.jinja | 207 -- .../suricata_packet_loss_graph.json.jinja | 241 -- .../suricata_packet_loss_stat.json.jinja | 120 - .../panels/swap_io_bytes_graph.json.jinja | 187 - .../panels/swap_usage_bytes_graph.json.jinja | 184 - .../panels/swap_usage_guage.json.jinja | 115 - .../swap_usage_percent_graph.json.jinja | 141 - salt/grafana/panels/system_uptime.json.jinja | 91 - .../panels/system_uptime_graph.json.jinja | 148 - ...e_docker_combined_current_graph.json.jinja | 168 - ...ime_docker_combined_trend_graph.json.jinja | 165 - .../panels/zeek_capture_loss_graph.json.jinja | 203 -- .../panels/zeek_packet_loss_graph.json.jinja | 244 -- .../panels/zeek_packet_loss_stat.json.jinja | 120 - .../zeek_restarts_healthcheck_stat.json.jinja | 93 - salt/grafana/soc_grafana.yaml | 49 - salt/grafana/templates/cluster_name.json | 25 - salt/grafana/templates/containers.json | 29 - salt/grafana/templates/cpucount.json | 24 - salt/grafana/templates/disk.json | 39 - salt/grafana/templates/manint.json | 29 - salt/grafana/templates/monint.json | 29 - salt/grafana/templates/role.json | 29 - salt/grafana/templates/searchnode.json | 25 - salt/grafana/templates/servername.json | 34 - 128 files changed, 21676 deletions(-) delete mode 100644 salt/filebeat/defaults.yaml delete mode 100644 salt/filebeat/etc/filebeat.yml delete mode 100644 salt/filebeat/etc/module-setup.yml delete mode 100644 salt/filebeat/etc/module_config.yml.jinja delete mode 100644 salt/filebeat/init.sls delete mode 100644 salt/filebeat/map.jinja delete mode 100644 salt/filebeat/modules.map.jinja delete mode 100644 salt/filebeat/pillar.example delete mode 100644 salt/filebeat/securityoniondefaults.yaml delete mode 100644 salt/filebeat/thirdpartydefaults.yaml delete mode 100644 salt/grafana/dashboards/common_template.json.jinja delete mode 100644 salt/grafana/etc/dashboards/dashboard.yml delete mode 100644 salt/grafana/etc/datasources/influxdb.yaml delete mode 100644 salt/grafana/etc/files/readme.txt delete mode 100644 salt/grafana/etc/grafana.ini.jinja delete mode 100644 salt/grafana/grafana_defaults.yaml delete mode 100644 salt/grafana/init.sls delete mode 100644 salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_current_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja delete mode 100644 salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_requests_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_io_time_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_nsm_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_root_graph.json.jinja delete mode 100644 salt/grafana/panels/disk_usage_root_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_document_count_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_store_size_graph.json.jinja delete mode 100644 salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja delete mode 100644 salt/grafana/panels/influxdb_db_size_graph.json.jinja delete mode 100644 salt/grafana/panels/io_wait_graph.json.jinja delete mode 100644 salt/grafana/panels/io_wait_stat.json.jinja delete mode 100644 salt/grafana/panels/load_average_5_minute_stat.json.jinja delete mode 100644 salt/grafana/panels/load_averages_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja delete mode 100644 salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja delete mode 100644 salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_packets_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_both_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_usage_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_usage_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_drops_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_packets_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja delete mode 100644 salt/grafana/panels/monitor_interface_traffic_stat.json.jinja delete mode 100644 salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/nsm_used_guage.json.jinja delete mode 100644 salt/grafana/panels/pcap_retention_stat.json.jinja delete mode 100644 salt/grafana/panels/process_status_graph.json.jinja delete mode 100644 salt/grafana/panels/ram_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/redis_queue_graph.json.jinja delete mode 100644 salt/grafana/panels/redis_queue_stat.json.jinja delete mode 100644 salt/grafana/panels/rootfs_used_guage.json.jinja delete mode 100644 salt/grafana/panels/row_cpu.json.jinja delete mode 100644 salt/grafana/panels/row_disk_iops.json.jinja delete mode 100644 salt/grafana/panels/row_disk_usage.json.jinja delete mode 100644 salt/grafana/panels/row_docker_details.json.jinja delete mode 100644 salt/grafana/panels/row_elasticsearch.json.jinja delete mode 100644 salt/grafana/panels/row_influxdb.json.jinja delete mode 100644 salt/grafana/panels/row_logstash.json.jinja delete mode 100644 salt/grafana/panels/row_memory.json.jinja delete mode 100644 salt/grafana/panels/row_network.json.jinja delete mode 100644 salt/grafana/panels/row_overview.json.jinja delete mode 100644 salt/grafana/panels/row_packet_loss.json.jinja delete mode 100644 salt/grafana/panels/row_redis.json.jinja delete mode 100644 salt/grafana/panels/row_stenographer.json.jinja delete mode 100644 salt/grafana/panels/row_suricata.json.jinja delete mode 100644 salt/grafana/panels/row_swap.json.jinja delete mode 100644 salt/grafana/panels/row_zeek.json.jinja delete mode 100644 salt/grafana/panels/stenographer_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/stenographer_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja delete mode 100644 salt/grafana/panels/suricata_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/suricata_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/swap_io_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_bytes_graph.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_guage.json.jinja delete mode 100644 salt/grafana/panels/swap_usage_percent_graph.json.jinja delete mode 100644 salt/grafana/panels/system_uptime.json.jinja delete mode 100644 salt/grafana/panels/system_uptime_graph.json.jinja delete mode 100644 salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja delete mode 100644 salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_capture_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_packet_loss_graph.json.jinja delete mode 100644 salt/grafana/panels/zeek_packet_loss_stat.json.jinja delete mode 100644 salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja delete mode 100644 salt/grafana/soc_grafana.yaml delete mode 100644 salt/grafana/templates/cluster_name.json delete mode 100644 salt/grafana/templates/containers.json delete mode 100644 salt/grafana/templates/cpucount.json delete mode 100644 salt/grafana/templates/disk.json delete mode 100644 salt/grafana/templates/manint.json delete mode 100644 salt/grafana/templates/monint.json delete mode 100644 salt/grafana/templates/role.json delete mode 100644 salt/grafana/templates/searchnode.json delete mode 100644 salt/grafana/templates/servername.json diff --git a/salt/filebeat/defaults.yaml b/salt/filebeat/defaults.yaml deleted file mode 100644 index 83bb9b22e..000000000 --- a/salt/filebeat/defaults.yaml +++ /dev/null @@ -1,112 +0,0 @@ -filebeat: - config: - zeek_logs_enabled: - - conn - - dce_rpc - - dhcp - - dnp3 - - dns - - dpd - - files - - ftp - - http - - intel - - irc - - kerberos - - modbus - - mysql - - notice - - ntlm - - pe - - radius - - rfb - - rdp - - sip - - smb_files - - smb_mapping - - smtp - - snmp - - socks - - software - - ssh - - ssl - - tunnel - - weird - - x509 - - bacnet - - bacnet_discovery - - bacnet_property - - bsap_ip_header - - bsap_ip_rdb - - bsap_ip_unknown - - bsap_serial_header - - bsap_serial_rdb - - bsap_serial_rdb_ext - - bsap_serial_unknown - - cip - - cip_identity - - cip_io - - cotp - - dnp3_control - - dnp3_objects - - ecat_aoe_info - - ecat_coe_info - - ecat_dev_info - - ecat_foe_info - - ecat_log_address - - ecat_registers - - ecat_soe_info - - enip - - modbus_detailed - - modbus_mask_write_register - - modbus_read_write_multiple_registers - - opcua_binary - - opcua_binary_activate_session - - opcua_binary_activate_session_client_software_cert - - opcua_binary_activate_session_diagnostic_info - - opcua_binary_activate_session_locale_id - - opcua_binary_browse - - opcua_binary_browse_description - - opcua_binary_browse_diagnostic_info - - opcua_binary_browse_request_continuation_point - - opcua_binary_browse_response_references - - opcua_binary_browse_result - - opcua_binary_create_session - - opcua_binary_create_session_discovery - - opcua_binary_create_session_endpoints - - opcua_binary_create_session_user_token - - opcua_binary_create_subscription - - opcua_binary_diag_info_detail - - opcua_binary_get_endpoints - - opcua_binary_get_endpoints_description - - opcua_binary_get_endpoints_discovery - - opcua_binary_get_endpoints_locale_id - - opcua_binary_get_endpoints_profile_uri - - opcua_binary_get_endpoints_user_token - - opcua_binary_opensecure_channel - - opcua_binary_read - - opcua_binary_read_array_dims - - opcua_binary_read_array_dims_link - - opcua_binary_read_diagnostic_info - - opcua_binary_read_extension_object - - opcua_binary_read_extension_object_link - - opcua_binary_read_nodes_to_read - - opcua_binary_read_results - - opcua_binary_read_results_link - - opcua_binary_read_status_code - - opcua_binary_read_variant_data - - opcua_binary_read_variant_data_link - - opcua_binary_status_code_detail - - profinet - - profinet_dce_rpc - - profinet_debug - - s7comm - - s7comm_plus - - s7comm_read_szl - - s7comm_upload_download - - stun - - stun_nat - - tds - - tds_rpc - - tds_sql_batch - - wireguard diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml deleted file mode 100644 index 839bd12f5..000000000 --- a/salt/filebeat/etc/filebeat.yml +++ /dev/null @@ -1,674 +0,0 @@ -{%- if grains.role == 'so-heavynode' %} -{%- set MANAGER = salt['grains.get']('host' '') %} -{%- else %} -{%- set MANAGER = salt['grains.get']('master') %} -{%- endif %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} - -{%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} -{%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) -%} -{%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%} -{%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} -{%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} -{%- set FBLSBULKMAXSIZE = salt['pillar.get']('filebeat:ls_bulk_max_size', 2048) -%} -{%- set FBLOGGINGLEVEL = salt['pillar.get']('filebeat:logging:level', 'warning') -%} - -name: {{ HOSTNAME }} - -#================================ Logging ====================================== -# There are four options for the log output: file, stderr, syslog, eventlog -# The file output is the default. - -# Sets log level. The default log level is info. -# Available log levels are: error, warning, info, debug -logging.level: {{ FBLOGGINGLEVEL }} - -# Enable debug output for selected components. To enable all selectors use ["*"] -# Other available selectors are "beat", "publish", "service" -# Multiple selectors can be chained. -#logging.selectors: [ ] - -# Send all logging output to syslog. The default is false. -#logging.to_syslog: false - -# Send all logging output to Windows Event Logs. The default is false. -#logging.to_eventlog: false - -# If enabled, filebeat periodically logs its internal metrics that have changed -# in the last period. For each metric that changed, the delta from the value at -# the beginning of the period is logged. Also, the total values for -# all non-zero internal metrics are logged on shutdown. The default is true. -#logging.metrics.enabled: true - -# The period after which to log the internal metrics. The default is 30s. -#logging.metrics.period: 30s - -# Logging to rotating files. Set logging.to_files to false to disable logging to -# files. -logging.to_files: true -logging.files: - # Configure the path where the logs are written. The default is the logs directory - # under the home path (the binary location). - path: /usr/share/filebeat/logs - - # The name of the files where the logs are written to. - name: filebeat.log - - # Configure log file size limit. If limit is reached, log file will be - # automatically rotated - rotateeverybytes: 10485760 # = 10MB - - # Rotate on startup - rotateonstartup: false - - # Number of rotated log files to keep. Oldest files will be deleted first. - keepfiles: 7 - - # The permissions mask to apply when rotating log files. The default value is 0600. - # Must be a valid Unix-style file permissions mask expressed in octal notation. - #permissions: 0600 - -# Set to true to log messages in json format. -#logging.json: false - - - -#========================== Modules configuration ============================ -filebeat.config.modules: - enabled: true - path: ${path.config}/modules.d/*.yml - -filebeat.modules: -#=========================== Filebeat prospectors ============================= - -# List of prospectors to fetch data. -filebeat.inputs: -#------------------------------ Log prospector -------------------------------- -- type: udp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - -- type: tcp - enabled: true - host: "0.0.0.0:514" - fields: - module: syslog - dataset: syslog - pipeline: "syslog" - index: "so-syslog" - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - -{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: filestream - id: logscan - paths: - - /logs/logscan/alerts.log - fields: - module: logscan - dataset: alert - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - clean_removed: true - close_removed: false -{%- endif %} - -{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-sensor', 'so-helix', 'so-heavynode', 'so-import'] %} - {%- if ZEEKVER != 'SURICATA' %} - {% import_yaml 'filebeat/defaults.yaml' as FBD with context %} - - {% set FBCONFIG = salt['pillar.get']('filebeat:zeek_logs_enabled', default=FBD.filebeat, merge=True) %} - - {%- for LOGNAME in FBCONFIG.zeek_logs_enabled %} -- type: filestream - id: zeek-{{ LOGNAME }} - paths: - - /nsm/zeek/logs/current/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - processors: - {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} - - add_tags: - tags: ["ics"] - {%- endif %} - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: true - close_removed: false - -- type: filestream - id: import-zeek={{ LOGNAME }} - paths: - - /nsm/import/*/zeek/logs/{{ LOGNAME }}.log - fields: - module: zeek - dataset: {{ LOGNAME }} - category: network - imported: true - processors: - {%- if LOGNAME is match('^bacnet*|^bsap*|^cip*|^cotp*|^dnp3*|^ecat*|^enip*|^modbus*|^opcua*|^profinet*|^s7comm*') %} - - add_tags: - tags: ["ics"] - {%- endif %} - - add_tags: - tags: ["import"] - - dissect: - tokenizer: "/nsm/import/%{import.id}/zeek/logs/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - {%- endfor %} - {%- endif %} - -- type: filestream - id: suricata-eve - paths: - - /nsm/suricata/eve*.json - fields: - module: suricata - dataset: common - category: network - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -- type: filestream - id: import-suricata - paths: - - /nsm/import/*/suricata/eve*.json - fields: - module: suricata - dataset: common - category: network - imported: true - processors: - - add_tags: - tags: ["import"] - - dissect: - tokenizer: "/nsm/import/%{import.id}/suricata/%{import.file}" - field: "log.file.path" - target_prefix: "" - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - {%- if STRELKAENABLED == 1 %} -- type: filestream - id: strelka - paths: - - /nsm/strelka/log/strelka.log - fields: - module: strelka - category: file - dataset: file - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - - {%- endif %} -{%- endif %} - -{%- if RITAENABLED %} -- type: filestream - id: rita-beacon - paths: - - /nsm/rita/beacons.csv - exclude_lines: ['^Score', '^Source', '^Domain', '^No results'] - fields: - module: rita - dataset: beacon - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - pipeline: "rita.beacon" - index: "so-rita" - -- type: filestream - id: rita-connection - paths: - - /nsm/rita/long-connections.csv - - /nsm/rita/open-connections.csv - exclude_lines: ['^Source', '^No results'] - fields: - module: rita - dataset: connection - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - pipeline: "rita.connection" - index: "so-rita" - -- type: filestream - id: rita-dns - paths: - - /nsm/rita/exploded-dns.csv - exclude_lines: ['^Domain', '^No results'] - fields: - module: rita - dataset: dns - category: network - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - fields_under_root: true - pipeline: "rita.dns" - index: "so-rita" -{%- endif %} - -{%- if grains['role'] in ['so-eval', 'so-standalone', 'so-manager', 'so-managersearch', 'so-import'] %} -- type: filestream - id: kratos - paths: - - /logs/kratos/kratos.log - fields: - module: kratos - category: host - processors: - - decode_json_fields: - fields: ["message"] - target: "" - add_error_key: true - - rename: - fields: - - from: "audience" - to: "event.dataset" - ignore_missing: true - - add_fields: - when: - not: - has_fields: ['event.dataset'] - target: '' - fields: - event.dataset: access - pipeline: "kratos" - fields_under_root: true - clean_removed: false - close_removed: false -{%- endif %} - -{%- if grains.role == 'so-idh' %} -- type: filestream - id: idh - paths: - - /nsm/idh/opencanary.log - fields: - module: opencanary - dataset: idh - category: host - tags: beat-ext - processors: - - decode_json_fields: - fields: ["message"] - target: "" - add_error_key: true - - drop_fields: - when: - equals: - logtype: 1001 - fields: ["src_host", "src_port", "dst_host", "dst_port" ] - ignore_missing: true - - rename: - fields: - - from: "src_host" - to: "source.ip" - - from: "src_port" - to: "source.port" - - from: "dst_host" - to: "destination.host" - - from: "dst_port" - to: "destination.port" - ignore_missing: true - - convert: - fields: - - {from: "logtype", to: "event.code", type: "string"} - ignore_missing: true - - drop_fields: - fields: '["prospector", "input", "offset", "beat"]' - fields_under_root: true - clean_removed: false - close_removed: false -{%- endif %} - -{%- if INPUTS %} -# USER PILLAR DEFINED INPUTS -{{ INPUTS | yaml(False) }} -{%- endif %} - -{% if OUTPUT -%} -# USER PILLAR DEFINED OUTPUT -{%- set types = OUTPUT.keys() | list %} -{%- set type = types[0] %} -output.{{ type }}: - {%- for i in OUTPUT[type].items() %} - {{ i[0] }}: {{ i[1]}} - {%- endfor %} -{%- else %} -#----------------------------- Elasticsearch/Logstash output --------------------------------- - {%- if grains['role'] in ["so-eval", "so-import"] %} -output.elasticsearch: - enabled: true - hosts: ["https://{{ MANAGER }}:9200"] - username: "{{ ES_USER }}" - password: "{{ ES_PASS }}" - ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] - pipelines: - - pipeline: "%{[module]}.%{[dataset]}" - indices: - - index: "so-import" - when.contains: - tags: "import" - - index: "so-zeek" - when.contains: - module: "zeek" - - index: "so-ids" - when.contains: - module: "suricata" - - index: "so-ossec" - when.contains: - module: "ossec" - - index: "so-osquery" - when.contains: - module: "osquery" - - index: "so-strelka" - when.contains: - module: "strelka" - - index: "so-logscan" - when.contains: - module: "logscan" - - index: "so-elasticsearch-%{+YYYY.MM.dd}" - when.contains: - event.module: "elasticsearch" - - index: "so-kibana-%{+YYYY.MM.dd}" - when.contains: - event.module: "kibana" - -setup.template.enabled: false - {%- else %} - -output.logstash: - # Boolean flag to enable or disable the output module. - enabled: true - - # The Logstash hosts - hosts: -{# dont let filebeat send to a node designated as dmz #} -{% import_yaml 'logstash/dmz_nodes.yaml' as dmz_nodes -%} -{% if dmz_nodes.logstash.dmz_nodes -%} -{% set dmz_nodes = dmz_nodes.logstash.dmz_nodes -%} -{% else -%} -{% set dmz_nodes = [] -%} -{% endif -%} -{%- if grains.role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} -{%- set LOGSTASH = namespace() %} -{%- set LOGSTASH.count = 0 %} -{%- set LOGSTASH.loadbalance = false %} -{%- set node_data = salt['pillar.get']('logstash:nodes') %} -{%- for node_type, node_details in node_data.items() | sort -%} -{%- if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} -{%- for hostname in node_data[node_type].keys() %} -{%- if hostname not in dmz_nodes %} -{%- set LOGSTASH.count = LOGSTASH.count + 1 %} - - "{{ hostname }}:5644" #{{ node_details[hostname].ip }} -{%- endif %} -{%- endfor %} -{%- endif %} -{%- if LOGSTASH.count > 1 %} -{%- set LOGSTASH.loadbalance = true %} -{%- endif %} -{%- endfor %} - - loadbalance: {{ LOGSTASH.loadbalance | lower }} -{%- else %} - - "{{ grains.host }}:5644" -{%- endif %} - - # Number of workers per Logstash host. - worker: {{ FBLSWORKERS }} - - # Number of records to send to Logstash input at a time - bulk_max_size: {{ FBLSBULKMAXSIZE }} - - # Set gzip compression level. - #compression_level: 3 - - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # Optional SSL configuration options. SSL is off by default. - # List of root certificates for HTTPS server verifications - ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] - - # Certificate for SSL client authentication - ssl.certificate: "/usr/share/filebeat/filebeat.crt" - - # Client Certificate Key - ssl.key: "/usr/share/filebeat/filebeat.key" - -setup.template.enabled: false - # A dictionary of settings to place into the settings.index dictionary - # of the Elasticsearch template. For more details, please check - # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html - #index: - #number_of_shards: 1 - #codec: best_compression - #number_of_routing_shards: 30 - - # A dictionary of settings for the _source field. For more details, please check - # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html - #_source: - #enabled: false - {%- endif %} -{% endif %} -#============================== Kibana ===================================== - -# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API. -# This requires a Kibana endpoint configuration. -#setup.kibana: - - # Kibana Host - # Scheme and port can be left out and will be set to the default (http and 5601) - # In case you specify and additional path, the scheme is required: http://localhost:5601/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 - #host: "localhost:5601" - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "elastic" - #password: "changeme" - - # Optional HTTP Path - #path: "" - - # Use SSL settings for HTTPS. Default is true. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # SSL configuration. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - - - - -#============================== Xpack Monitoring ===================================== -# filebeat can export internal metrics to a central Elasticsearch monitoring cluster. -# This requires xpack monitoring to be enabled in Elasticsearch. -# The reporting is disabled by default. - -# Set to true to enable the monitoring reporter. -#xpack.monitoring.enabled: false - -# Uncomment to send the metrics to Elasticsearch. Most settings from the -# Elasticsearch output are accepted here as well. Any setting that is not set is -# automatically inherited from the Elasticsearch output configuration, so if you -# have the Elasticsearch output configured, you can simply uncomment the -# following line, and leave the rest commented out. -#xpack.monitoring.elasticsearch: - - # Array of hosts to connect to. - # Scheme and port can be left out and will be set to the default (http and 9200) - # In case you specify and additional path, the scheme is required: http://localhost:9200/path - # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 - #hosts: ["localhost:9200"] - - # Set gzip compression level. - #compression_level: 0 - - # Optional protocol and basic auth credentials. - #protocol: "https" - #username: "beats_system" - #password: "changeme" - - # Dictionary of HTTP parameters to pass within the url with index operations. - #parameters: - #param1: value1 - #param2: value2 - - # Custom HTTP headers to add to each request - #headers: - # X-My-Header: Contents of the header - - # Proxy server url - #proxy_url: http://proxy:3128 - - # The number of times a particular Elasticsearch index operation is attempted. If - # the indexing operation doesn't succeed after this many retries, the events are - # dropped. The default is 3. - #max_retries: 3 - - # The maximum number of events to bulk in a single Elasticsearch bulk API index request. - # The default is 50. - #bulk_max_size: 50 - - # Configure http request timeout before failing an request to Elasticsearch. - #timeout: 90 - - # Use SSL settings for HTTPS. - #ssl.enabled: true - - # Configure SSL verification mode. If `none` is configured, all server hosts - # and certificates will be accepted. In this mode, SSL based connections are - # susceptible to man-in-the-middle attacks. Use only for testing. Default is - # `full`. - #ssl.verification_mode: full - - # List of supported/valid TLS versions. By default all TLS versions 1.0 up to - # 1.2 are enabled. - #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] - - # SSL configuration. By default is off. - # List of root certificates for HTTPS server verifications - #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - - # Certificate for SSL client authentication - #ssl.certificate: "/etc/pki/client/cert.pem" - - # Client Certificate Key - #ssl.key: "/etc/pki/client/cert.key" - - # Optional passphrase for decrypting the Certificate Key. - #ssl.key_passphrase: '' - - # Configure cipher suites to be used for SSL connections - #ssl.cipher_suites: [] - - # Configure curve types for ECDHE based cipher suites - #ssl.curve_types: [] - - # Configure what types of renegotiation are supported. Valid options are - # never, once, and freely. Default is never. - #ssl.renegotiation: never - -#================================ HTTP Endpoint ====================================== -# Each beat can expose internal metrics through a HTTP endpoint. For security -# reasons the endpoint is disabled by default. This feature is currently experimental. -# Stats can be access through http://localhost:5066/stats . For pretty JSON output -# append ?pretty to the URL. - -# Defines if the HTTP endpoint is enabled. -http.enabled: true - -# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. -http.host: 0.0.0.0 - -# Port on which the HTTP endpoint will bind. Default is 5066. -http.port: 5066 - -queue.mem.events: {{ FBMEMEVENTS }} -queue.mem.flush.min_events: {{ FBMEMFLUSHMINEVENTS }} diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml deleted file mode 100644 index d0ecd5d22..000000000 --- a/salt/filebeat/etc/module-setup.yml +++ /dev/null @@ -1,10 +0,0 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} - -output.elasticsearch: - enabled: true - hosts: ["https://{{ ES }}:9200"] - username: "{{ ES_USER }}" - password: "{{ ES_PASS }}" - ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] diff --git a/salt/filebeat/etc/module_config.yml.jinja b/salt/filebeat/etc/module_config.yml.jinja deleted file mode 100644 index 5d8782c01..000000000 --- a/salt/filebeat/etc/module_config.yml.jinja +++ /dev/null @@ -1,2 +0,0 @@ -# DO NOT EDIT THIS FILE -{{ MODULES|yaml(False) }} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls deleted file mode 100644 index 988807f82..000000000 --- a/salt/filebeat/init.sls +++ /dev/null @@ -1,162 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} -{% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} -{% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} -{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-searchnode', 'so-heavynode', 'so-import'] %} - -include: - - ssl -#only include elastic state for certain nodes -{% if grains.role in ES_INCLUDED_NODES %} - - elasticsearch -{% endif %} - -filebeatetcdir: - file.directory: - - name: /opt/so/conf/filebeat/etc - - user: 939 - - group: 939 - - makedirs: True - -filebeatmoduledir: - file.directory: - - name: /opt/so/conf/filebeat/modules - - user: root - - group: root - - makedirs: True - -filebeatlogdir: - file.directory: - - name: /opt/so/log/filebeat - - user: 939 - - group: 939 - - makedirs: True - -filebeatpkidir: - file.directory: - - name: /opt/so/conf/filebeat/etc/pki - - user: 939 - - group: 939 - - makedirs: True -fileregistrydir: - file.directory: - - name: /opt/so/conf/filebeat/registry - - user: 939 - - group: 939 - - makedirs: True - -# This needs to be owned by root -filebeatconf: - file.managed: - - name: /opt/so/conf/filebeat/etc/filebeat.yml - - source: salt://filebeat/etc/filebeat.yml - - user: root - - group: root - - template: jinja - - defaults: - INPUTS: {{ salt['pillar.get']('filebeat:config:inputs', {}) }} - OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }} - - show_changes: False - -# Filebeat module config file -filebeatmoduleconf: - file.managed: - - name: /opt/so/conf/filebeat/etc/module-setup.yml - - source: salt://filebeat/etc/module-setup.yml - - user: root - - group: root - - mode: 640 - - template: jinja - - show_changes: False - -merged_module_conf: - file.managed: - - name: /opt/so/conf/filebeat/modules/modules.yml - - source: salt://filebeat/etc/module_config.yml.jinja - - template: jinja - - defaults: - MODULES: {{ MODULESENABLED }} - -so_module_conf_remove: - file.absent: - - name: /opt/so/conf/filebeat/modules/securityonion.yml - -thirdyparty_module_conf_remove: - file.absent: - - name: /opt/so/conf/filebeat/modules/thirdparty.yml - -so-filebeat: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-filebeat:{{ GLOBALS.so_version }} - - hostname: so-filebeat - - user: root - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - - binds: - - /nsm:/nsm:ro - - /opt/so/log/filebeat:/usr/share/filebeat/logs:rw - - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - - /opt/so/conf/filebeat/etc/module-setup.yml:/usr/share/filebeat/module-setup.yml:ro - - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro - - /nsm/wazuh/logs/archives:/wazuh/archives:ro - - /opt/so/conf/filebeat/modules:/usr/share/filebeat/modules.d - - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - - /opt/so/conf/filebeat/registry:/usr/share/filebeat/data/registry:rw - - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - - /opt/so/log:/logs:ro - - port_bindings: - {% for BINDING in DOCKER.containers['so-filebeat'].port_bindings %} - - {{ BINDING }} - {% endfor %} -{% for module in MODULESMERGED.modules.keys() %} - {% for submodule in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/tcp - - {{ MODULESMERGED.modules[module][submodule].get("var.syslog_host", "0.0.0.0") }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}:{{ MODULESMERGED.modules[module][submodule]["var.syslog_port"] }}/udp - {% endif %} - {% endfor %} -{% endfor %} - - watch: - - file: filebeatconf - - require: - - file: filebeatconf - - file: filebeatmoduleconf - - file: filebeatmoduledir - - x509: conf_filebeat_crt - - x509: conf_filebeat_key - - x509: trusttheca - -{% if grains.role in ES_INCLUDED_NODES %} -run_module_setup: - cmd.run: - - name: /usr/sbin/so-filebeat-module-setup - - require: - - file: filebeatmoduleconf - - docker_container: so-filebeat - - onchanges: - - docker_container: so-elasticsearch -{% endif %} - -append_so-filebeat_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-filebeat - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja deleted file mode 100644 index bcbec1a8c..000000000 --- a/salt/filebeat/map.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set role = GLOBALS.role %} -{% set FILEBEAT_EXTRA_HOSTS = [] %} -{% if role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} - {% set node_data = salt['pillar.get']('logstash:nodes') %} - {% for node_type, node_details in node_data.items() | sort %} - {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} - {% for hostname in node_data[node_type].keys() %} - {% do FILEBEAT_EXTRA_HOSTS.append({hostname:node_details[hostname].ip}) %} - {% endfor %} - {% endif %} - {% endfor %} -{% endif %} - -{% do FILEBEAT_EXTRA_HOSTS.append({GLOBALS.hostname:GLOBALS.node_ip}) %} diff --git a/salt/filebeat/modules.map.jinja b/salt/filebeat/modules.map.jinja deleted file mode 100644 index c4a0a6db7..000000000 --- a/salt/filebeat/modules.map.jinja +++ /dev/null @@ -1,18 +0,0 @@ -{% import_yaml 'filebeat/thirdpartydefaults.yaml' as TPDEFAULTS %} -{% import_yaml 'filebeat/securityoniondefaults.yaml' as SODEFAULTS %} -{% set THIRDPARTY = salt['pillar.get']('filebeat:third_party_filebeat', default=TPDEFAULTS.third_party_filebeat, merge=True) %} -{% set SO = salt['pillar.get']('filebeat:securityonion_filebeat', default=SODEFAULTS.securityonion_filebeat, merge=True) %} -{% set MODULESMERGED = salt['defaults.merge'](SO, THIRDPARTY, in_place=False) %} - -{% set MODULESENABLED = [] %} -{% for module in MODULESMERGED.modules.keys() %} - {% set ENABLEDFILESETS = {} %} - {% for fileset in MODULESMERGED.modules[module] %} - {% if MODULESMERGED.modules[module][fileset].get('enabled', False) %} - {% do ENABLEDFILESETS.update({'module': module, fileset: MODULESMERGED.modules[module][fileset]}) %} - {% endif %} - {% endfor %} - {% if ENABLEDFILESETS|length > 0 %} - {% do MODULESENABLED.append(ENABLEDFILESETS) %} - {% endif %} -{% endfor %} diff --git a/salt/filebeat/pillar.example b/salt/filebeat/pillar.example deleted file mode 100644 index 94be16717..000000000 --- a/salt/filebeat/pillar.example +++ /dev/null @@ -1,22 +0,0 @@ -filebeat: - config: - inputs: - - type: filestream - paths: - - /nsm/mylogdir/mylog.log - fields: - module: mymodule - dataset: mydataset - category: mycategory - - processors: - - drop_fields: - fields: '["source", "prospector", "input", "offset", "beat"]' - - fields_under_root: true - clean_removed: false - close_removed: false - output: - file: - path: "/tmp/filebeat" - filename: filebeat diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml deleted file mode 100644 index b97088972..000000000 --- a/salt/filebeat/securityoniondefaults.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{% set ZEEKLOGLOOKUP = { - 'conn': 'connection', -} %} -securityonion_filebeat: - modules: - {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-searchnode', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} - elasticsearch: - server: - enabled: true - var.paths: ["/logs/elasticsearch/*.log"] - logstash: - log: - enabled: true - var.paths: ["/logs/logstash.log"] - {%- endif %} - {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone'] %} - kibana: - log: - enabled: true - var.paths: ["/logs/kibana/kibana.log"] - {%- endif %} - {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-heavynode'] %} - redis: - log: - enabled: true - var.paths: ["/logs/redis.log"] - slowlog: - enabled: false - {%- endif %} - \ No newline at end of file diff --git a/salt/filebeat/thirdpartydefaults.yaml b/salt/filebeat/thirdpartydefaults.yaml deleted file mode 100644 index 48411cad9..000000000 --- a/salt/filebeat/thirdpartydefaults.yaml +++ /dev/null @@ -1,261 +0,0 @@ -third_party_filebeat: - modules: - aws: - cloudtrail: - enabled: false - cloudwatch: - enabled: false - ec2: - enabled: false - elb: - enabled: false - s3access: - enabled: false - vpcflow: - enabled: false - azure: - activitylogs: - enabled: false - platformlogs: - enabled: false - auditlogs: - enabled: false - signinlogs: - enabled: false - barracuda: - waf: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9503 - spamfirewall: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9524 - bluecoat: - director: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9505 - cef: - log: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9003 - checkpoint: - firewall: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9505 - cisco: - asa: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9001 - ftd: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9003 - ios: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9002 - nexus: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9506 - meraki: - enabled: false - var.syslog_host: 0.0.0.0 - var.syslog_port: 9525 - umbrella: - enabled: false - amp: - enabled: false - cylance: - protect: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9508 - f5: - bigipapm: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9504 - bigipafm: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9528 - fortinet: - firewall: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9004 - clientendpoint: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9510 - fortimail: - enabled: false - var.input: udp - var.syslog_port: 9350 - gcp: - vpcflow: - enabled: false - firewall: - enabled: false - audit: - enabled: false - google_workspace: - saml: - enabled: false - user_accounts: - enabled: false - login: - enabled: false - admin: - enabled: false - drive: - enabled: false - groups: - enabled: false - imperva: - securesphere: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9511 - infoblox: - nios: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9512 - juniper: - junos: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9513 - netscreen: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9523 - srx: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9006 - microsoft: - defender_atp: - enabled: false - m365_defender: - enabled: false - dhcp: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9515 - misp: - threat: - enabled: false - netflow: - log: - enabled: false - var.netflow_host: 0.0.0.0 - var.netflow_port: 2055 - var.internal_networks: - - private - netscout: - sightline: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9502 - o365: - audit: - enabled: false - okta: - system: - enabled: false - proofpoint: - emailsecurity: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9531 - radware: - defensepro: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9518 - snort: - log: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9532 - snyk: - audit: - enabled: false - vulnerabilities: - enabled: false - sonicwall: - firewall: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9519 - sophos: - xg: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9005 - utm: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9533 - squid: - log: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9520 - tomcat: - log: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9501 - threatintel: - abuseurl: - enabled: false - abusemalware: - enabled: false - misp: - enabled: false - malwarebazaar: - enabled: false - otx: - enabled: false - anomali: - enabled: false - anomalithreatstream: - enabled: false - zscaler: - zia: - enabled: false - var.input: udp - var.syslog_host: 0.0.0.0 - var.syslog_port: 9521 diff --git a/salt/grafana/dashboards/common_template.json.jinja b/salt/grafana/dashboards/common_template.json.jinja deleted file mode 100644 index 4c6745c3c..000000000 --- a/salt/grafana/dashboards/common_template.json.jinja +++ /dev/null @@ -1,64 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": "-- Grafana --", - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "{{TITLE}}", - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "id": {{ ID }}, - "iteration": 1625757047565, - "links": [], - "panels": [ -{% for panel in PANELS -%} -{%- import_json "grafana/panels/" ~ panel ~ ".json.jinja" as panel %} -{{ panel | json }} {% if not loop.last %},{% endif %} -{% endfor -%} - ], - "refresh": "5m", - "schemaVersion": 27, - "style": "dark", - "tags": [], - "templating": { - "list": [ -{% for template in TEMPLATES.keys() -%} -{%- import_json "grafana/templates/" ~ template ~ ".json" as template %} -{{ template | json }} {% if not loop.last %},{% endif %} -{% endfor -%} - ] - }, - "time": { - "from": "now-3h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": [ - "30s", - "1m", - "5m", - "15m", - "30m", - "1h", - "2h", - "1d" - ] - }, - "timezone": "browser", - "title": "{{ TITLE }}", - {% if TITLE | lower == 'security onion grid overview' %} - "uid": "so_overview", - {% else %} - "uid": "{{ UID }}", - {% endif %} - "version": 1 -} diff --git a/salt/grafana/etc/dashboards/dashboard.yml b/salt/grafana/etc/dashboards/dashboard.yml deleted file mode 100644 index 2c422069c..000000000 --- a/salt/grafana/etc/dashboards/dashboard.yml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: 1 - -providers: -- name: 'Dashboards' - folder: 'Dashboards' - type: file - disableDeletion: false - editable: true - allowUiUpdates: true - options: - path: /etc/grafana/grafana_dashboards/ - diff --git a/salt/grafana/etc/datasources/influxdb.yaml b/salt/grafana/etc/datasources/influxdb.yaml deleted file mode 100644 index 1c4fd8135..000000000 --- a/salt/grafana/etc/datasources/influxdb.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: 1 - -deleteDatasources: - - name: Graphite - orgId: 1 - -datasources: - - name: InfluxDB - type: influxdb - access: proxy - database: telegraf - url: https://{{ GLOBALS.influxdb_host }}:8086 - jsonData: - tlsAuth: false - tlsAuthWithCACert: false - tlsSkipVerify: true - version: 1 diff --git a/salt/grafana/etc/files/readme.txt b/salt/grafana/etc/files/readme.txt deleted file mode 100644 index c78e8687c..000000000 --- a/salt/grafana/etc/files/readme.txt +++ /dev/null @@ -1 +0,0 @@ -For files that are referenced inside the Grafana config, place them in /opt/so/saltstack/local/salt/grafana/etc/files/. This would include keys used for smtp or a Grafana enterprise license file. \ No newline at end of file diff --git a/salt/grafana/etc/grafana.ini.jinja b/salt/grafana/etc/grafana.ini.jinja deleted file mode 100644 index f2309056d..000000000 --- a/salt/grafana/etc/grafana.ini.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{%- macro write_config_line(cfg) %} -{%- for k,v in cfg.items() -%} -{{ k }} = {{ v }} -{% endfor %} -{%- endmacro %} - -{{ write_config_line(config.get("default", {})) }} -{% for header, cfg in config.items() %} -{%- if header == "default" %}{% continue %}{% endif %} -[{{ header }}] -{{ write_config_line(cfg) }} -{% endfor %} \ No newline at end of file diff --git a/salt/grafana/grafana_defaults.yaml b/salt/grafana/grafana_defaults.yaml deleted file mode 100644 index b05775886..000000000 --- a/salt/grafana/grafana_defaults.yaml +++ /dev/null @@ -1,3147 +0,0 @@ -grafana: - config: - server: - root_url: "%(protocol)s://%(domain)s/grafana/" - auth.anonymous: - enabled: true - org_name: Main Org. - org_role: Viewer - smtp: - enabled: false - host: localhost:25 - user: myuser - password: mypassword - cert_file: /etc/grafana/config/files/smtp_cert_file.crt - key_file: /etc/grafana/config/files/smtp_key_file.key - skip_verify: false - from_address: admin@grafana.localhost - from_name: Grafana - ehlo_identity: dashboard.example.com - auth.ldap: - enabled: false - config_file: /etc/grafana/config/files/ldap.toml - allow_sign_up: true - enterprise: - license_path: /opt/so/conf/grafana/etc/files/license.jwt - dashboards: - overview: - title: 'Security Onion Grid Overview' - templating: - list: - servername: - text: All - value: "$__all" - role: - allValue: true - multi: true - hide: 0 - text: All - value: "$__all" - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime_graph: - gridPos: - x: 0 - y: 1 - h: 8 - w: 12 - uptime_docker_combined_current_graph: - gridPos: - x: 12 - y: 1 - h: 8 - w: 12 - cpu_usage_current_graph: - gridPos: - x: 0 - y: 9 - h: 8 - w: 24 - memory_usage_percent_graph: - gridPos: - x: 0 - y: 17 - h: 8 - w: 24 - disk_usage_root_percent_graph: - gridPos: - x: 0 - y: 25 - h: 8 - w: 24 - disk_usage_nsm_percent_graph: - gridPos: - x: 0 - y: 33 - h: 8 - w: 24 - swap_usage_percent_graph: - gridPos: - x: 0 - y: 41 - h: 8 - w: 24 - io_wait_graph: - gridPos: - x: 0 - y: 49 - h: 8 - w: 24 - - row_network: - gridPos: - x: 0 - y: 57 - h: 1 - w: 24 - management_interface_traffic_inbound_graph: - gridPos: - x: 0 - y: 58 - h: 8 - w: 24 - management_interface_traffic_outbound_graph: - gridPos: - x: 0 - y: 64 - h: 8 - w: 24 - management_interface_drops_inbound_graph: - gridPos: - x: 0 - y: 72 - h: 8 - w: 24 - management_interface_drops_outbound_graph: - gridPos: - x: 0 - y: 80 - h: 8 - w: 24 - monitor_interface_traffic_inbound_graph: - gridPos: - x: 0 - y: 88 - h: 8 - w: 24 - monitor_interface_drops_inbound_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - - row_packet_loss: - gridPos: - x: 0 - y: 104 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 105 - h: 8 - w: 24 - hideTrend: true - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 113 - h: 8 - w: 24 - hideTrend: true - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 121 - h: 8 - w: 24 - hideTrend: true - - row_cpu: - gridPos: - x: 0 - y: 999 - h: 1 - w: 24 - cpu_usage_tasks_running_graph: - gridPos: - x: 0 - y: 1000 - h: 8 - w: 24 - cpu_usage_tasks_zombies_graph: - gridPos: - x: 0 - y: 1008 - h: 8 - w: 12 - cpu_usage_tasks_stopped_graph: - gridPos: - x: 12 - y: 1008 - h: 8 - w: 12 - cpu_usage_tasks_sleeping_graph: - gridPos: - x: 0 - y: 1016 - h: 8 - w: 12 - cpu_usage_tasks_blocked_graph: - gridPos: - x: 12 - y: 1016 - h: 8 - w: 12 - cpu_usage_tasks_paging_graph: - gridPos: - x: 0 - y: 1024 - h: 8 - w: 12 - cpu_usage_tasks_unknown_graph: - gridPos: - x: 12 - y: 1024 - h: 8 - w: 12 - - - standalone: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 187 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 188 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 188 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 196 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 197 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 205 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 206 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 206 - h: 8 - w: 8 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - manager: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_elasticsearch: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 153 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 161 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 169 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 24 - - row_influxdb: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - - managersearch: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - sensor: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_traffic_inbound_total_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 77 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 77 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 85 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 86 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 86 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 94 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 95 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 95 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 95 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 103 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 152 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 152 - h: 8 - w: 12 - - row_zeek: - gridPos: - x: 0 - y: 160 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 161 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 169 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 179 - h: 8 - w: 8 - - - searchnode: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - logstash_estimated_eps_out_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - logstash_estimated_eps_in_total_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 24 - logstash_estimated_eps_out_graph: - gridPos: - x: 0 - y: 169 - h: 8 - w: 24 - logstash_estimated_eps_out_total_graph: - gridPos: - x: 0 - y: 172 - h: 8 - w: 24 - - - heavynode: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 170 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 171 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 171 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 179 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 180 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 188 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 189 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 189 - h: 8 - w: 8 - - - eval: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - pcap_retention_stat: - gridPos: - x: 18 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - monitor_interface_traffic_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - zeek_packet_loss_stat: - gridPos: - x: 12 - y: 5 - h: 4 - w: 4 - suricata_packet_loss_stat: - gridPos: - x: 16 - y: 5 - h: 4 - w: 4 - stenographer_packet_loss_stat: - gridPos: - x: 20 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - monitor_interface_traffic_both_graph: - gridPos: - x: 0 - y: 61 - h: 8 - w: 24 - monitor_interface_packets_graph: - gridPos: - x: 0 - y: 69 - h: 8 - w: 12 - monitor_interface_drops_graph: - gridPos: - x: 12 - y: 69 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_elasticsearch: - gridPos: - x: 0 - y: 161 - h: 1 - w: 24 - elasticsearch_document_count_graph: - gridPos: - x: 0 - y: 162 - h: 8 - w: 12 - elasticsearch_thread_count_graph: - gridPos: - x: 12 - y: 162 - h: 8 - w: 12 - elasticsearch_store_size_graph: - gridPos: - x: 0 - y: 170 - h: 8 - w: 12 - elasticsearch_field_data_cache_size_graph: - gridPos: - x: 12 - y: 170 - h: 8 - w: 12 - - row_redis: - gridPos: - x: 0 - y: 178 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 179 - h: 8 - w: 24 - - row_zeek: - gridPos: - x: 0 - y: 187 - h: 1 - w: 24 - zeek_packet_loss_graph: - gridPos: - x: 0 - y: 188 - h: 8 - w: 12 - zeek_capture_loss_graph: - gridPos: - x: 12 - y: 188 - h: 8 - w: 12 - - row_suricata: - gridPos: - x: 0 - y: 196 - h: 1 - w: 24 - suricata_packet_loss_graph: - gridPos: - x: 0 - y: 197 - h: 8 - w: 24 - - row_stenographer: - gridPos: - x: 0 - y: 205 - h: 1 - w: 24 - stenographer_packet_loss_graph: - gridPos: - x: 0 - y: 206 - h: 8 - w: 16 - stenographer_pcap_retention_graph: - gridPos: - x: 16 - y: 206 - h: 8 - w: 8 - - row_influxdb: - gridPos: - x: 0 - y: 214 - h: 1 - w: 24 - influxdb_db_size_graph: - gridPos: - x: 0 - y: 214 - h: 8 - w: 24 - - - receiver: - templating: - list: - servername: {} - role: - allValue: false - multi: false - hide: 2 - containers: {} - manint: {} - monint: {} - cpucount: {} - disk: {} - panels: - row_overview: - gridPos: - x: 0 - y: 0 - h: 1 - w: 24 - system_uptime: - gridPos: - x: 0 - y: 1 - h: 4 - w: 4 - load_average_5_minute_stat: - gridPos: - x: 4 - y: 1 - h: 4 - w: 4 - cpu_usage_guage: - gridPos: - x: 8 - y: 1 - h: 4 - w: 2 - ram_usage_guage: - gridPos: - x: 10 - y: 1 - h: 4 - w: 2 - swap_usage_guage: - gridPos: - x: 12 - y: 1 - h: 4 - w: 2 - rootfs_used_guage: - gridPos: - x: 14 - y: 1 - h: 4 - w: 2 - nsm_used_guage: - gridPos: - x: 16 - y: 1 - h: 4 - w: 2 - io_wait_stat: - gridPos: - x: 20 - y: 1 - h: 4 - w: 4 - logstash_estimated_eps_in_stat: - gridPos: - x: 0 - y: 5 - h: 4 - w: 4 - logstash_estimated_eps_out_stat: - gridPos: - x: 4 - y: 5 - h: 4 - w: 4 - redis_queue_stat: - gridPos: - x: 8 - y: 5 - h: 4 - w: 4 - - row_cpu: - gridPos: - x: 0 - y: 9 - h: 1 - w: 24 - cpu_usage_tasks_all_graph: - gridPos: - x: 0 - y: 10 - h: 8 - w: 24 - load_averages_graph: - gridPos: - x: 0 - y: 18 - h: 8 - w: 12 - process_status_graph: - gridPos: - x: 12 - y: 18 - h: 8 - w: 12 - - row_memory: - gridPos: - x: 0 - y: 26 - h: 1 - w: 24 - memory_usage_graph: - gridPos: - x: 0 - y: 27 - h: 8 - w: 24 - - row_swap: - gridPos: - x: 0 - y: 35 - h: 1 - w: 24 - swap_io_bytes_graph: - gridPos: - x: 0 - y: 36 - h: 8 - w: 12 - swap_usage_bytes_graph: - gridPos: - x: 12 - y: 36 - h: 8 - w: 12 - - row_network: - gridPos: - x: 0 - y: 44 - h: 1 - w: 24 - management_interface_traffic_both_graph: - gridPos: - x: 0 - y: 45 - h: 8 - w: 24 - management_interface_packets_graph: - gridPos: - x: 0 - y: 53 - h: 8 - w: 12 - management_interface_drops_graph: - gridPos: - x: 12 - y: 53 - h: 8 - w: 12 - - row_disk_usage: - gridPos: - x: 0 - y: 77 - h: 1 - w: 24 - disk_usage_root_graph: - gridPos: - x: 0 - y: 78 - h: 8 - w: 12 - disk_usage_nsm_graph: - gridPos: - x: 12 - y: 78 - h: 8 - w: 12 - - row_disk_iops: - gridPos: - x: 0 - y: 86 - h: 1 - w: 24 - disk_io_requests_graph: - gridPos: - x: 0 - y: 87 - h: 8 - w: 8 - disk_io_bytes_graph: - gridPos: - x: 8 - y: 87 - h: 8 - w: 8 - disk_io_time_graph: - gridPos: - x: 16 - y: 87 - h: 8 - w: 8 - - row_docker_details: - gridPos: - x: 0 - y: 95 - h: 1 - w: 24 - cpu_docker_combined_current_graph: - gridPos: - x: 0 - y: 96 - h: 8 - w: 24 - cpu_docker_combined_trend_graph: - gridPos: - x: 0 - y: 104 - h: 8 - w: 24 - memory_used_docker_combined_current_graph: - gridPos: - x: 0 - y: 112 - h: 8 - w: 24 - memory_used_docker_combined_trend_graph: - gridPos: - x: 0 - y: 120 - h: 8 - w: 24 - network_usage_docker_combined_current_graph: - gridPos: - x: 0 - y: 128 - h: 8 - w: 24 - network_usage_docker_combined_trend_graph: - gridPos: - x: 0 - y: 136 - h: 8 - w: 24 - uptime_docker_combined_current_graph: - gridPos: - x: 0 - y: 144 - h: 8 - w: 12 - uptime_docker_combined_trend_graph: - gridPos: - x: 12 - y: 144 - h: 8 - w: 12 - - row_logstash: - gridPos: - x: 0 - y: 152 - h: 1 - w: 24 - logstash_estimated_eps_in_graph: - gridPos: - x: 0 - y: 153 - h: 8 - w: 24 - logstash_estimated_eps_in_total_graph: - gridPos: - x: 0 - y: 161 - h: 8 - w: 24 - logstash_estimated_eps_out_graph: - gridPos: - x: 0 - y: 169 - h: 8 - w: 24 - logstash_estimated_eps_out_total_graph: - gridPos: - x: 0 - y: 172 - h: 8 - w: 24 - - row_redis: - gridPos: - x: 0 - y: 180 - h: 1 - w: 24 - redis_queue_graph: - gridPos: - x: 0 - y: 181 - h: 8 - w: 24 - - - pipeline_overview_nontc: - title: 'Pipeline Overview' - templating: - list: - searchnode: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - panels: - redis_queue_graph: - gridPos: - x: 0 - y: 0 - h: 8 - w: 8 - logstash_eps_in_out_manager_graph: - gridPos: - x: 8 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_searchnode_total_graph: - gridPos: - x: 16 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_out_searchnode_graph: - gridPos: - x: 0 - y: 8 - h: 8 - w: 24 - elasticsearch_ingest_performance_nontc_graph: - gridPos: - x: 0 - y: 16 - h: 8 - w: 24 - elasticsearch_pipeline_time_nontc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 - - - pipeline_overview_tc: - title: 'Pipeline Overview' - templating: - list: - searchnode: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - cluster_name: - includeAll: true - multi: true - hide: 2 - text: All - value: "$__all" - panels: - redis_queue_graph: - gridPos: - x: 0 - y: 0 - h: 8 - w: 8 - logstash_eps_in_out_manager_graph: - gridPos: - x: 8 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_searchnode_total_graph: - gridPos: - x: 16 - y: 0 - h: 8 - w: 8 - logstash_indexing_eps_in_out_searchnode_graph: - gridPos: - x: 0 - y: 8 - h: 8 - w: 24 - elasticsearch_ingest_performance_tc_graph: - gridPos: - x: 0 - y: 16 - h: 8 - w: 24 - elasticsearch_pipeline_time_tc_graph: - gridPos: - x: 0 - y: 24 - h: 8 - w: 24 diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls deleted file mode 100644 index 1c5f30d5b..000000000 --- a/salt/grafana/init.sls +++ /dev/null @@ -1,164 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} - -{% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %} -{% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} - -{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval'] %} - -{% set ALLOWED_DASHBOARDS = ['overview', 'standalone', 'manager', 'managersearch', 'sensor', 'searchnode', 'heavynode', 'eval', 'receiver'] %} -{% set DASHBOARDS = ['overview'] %} -{% if grains.role == 'so-eval' %} - {% do DASHBOARDS.append('eval') %} -{% else %} - {% if not salt['pillar.get']('elasticsearch:true_cluster', False) %} - {% do DASHBOARDS.append('pipeline_overview_nontc') %} - {% else %} - {% do DASHBOARDS.append('pipeline_overview_tc') %} - {% endif %} - {# Grab a unique listing of nodetypes that exists so that we create only the needed dashboards #} - {% for dashboard in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} - {% if dashboard in ALLOWED_DASHBOARDS %} - {% do DASHBOARDS.append(dashboard) %} - {% endif %} - {% endfor %} -{% endif %} - - - -# Grafana all the things -grafanadir: - file.directory: - - name: /nsm/grafana - - user: 939 - - group: 939 - - makedirs: True - -grafanaconfdir: - file.directory: - - name: /opt/so/conf/grafana/etc - - user: 939 - - group: 939 - - makedirs: True - -grafanadashdir: - file.directory: - - name: /opt/so/conf/grafana/grafana_dashboards - - user: 939 - - group: 939 - - makedirs: True - -{% for type in ['eval','manager','managersearch','search_nodes','sensor_nodes','standalone'] %} -remove_dashboard_dir_{{type}}: - file.absent: - - name: /opt/so/conf/grafana/grafana_dashboards/{{type}} -{% endfor %} - -grafana-dashboard-config: - file.managed: - - name: /opt/so/conf/grafana/etc/dashboards/dashboard.yml - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/dashboards/dashboard.yml - - makedirs: True - - -grafana-datasources-config: - file.managed: - - name: /opt/so/conf/grafana/etc/datasources/influxdb.yaml - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/datasources/influxdb.yaml - - makedirs: True - - defaults: - GLOBALS: {{ GLOBALS }} - -grafana-config: - file.managed: - - name: /opt/so/conf/grafana/etc/grafana.ini - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/etc/grafana.ini.jinja - - context: - config: {{ GRAFANA_SETTINGS.config|json }} - -# these are the files that are referenced inside the config such as smtp:cert_file, smtp:cert_key, auth.ldap:config_file, enterprise:license_path -grafana-config-files: - file.recurse: - - name: /opt/so/conf/grafana/etc/files - - user: 939 - - group: 939 - - source: salt://grafana/etc/files - - makedirs: True - -so-grafana-dashboard-folder-delete: - cmd.run: - - name: /usr/sbin/so-grafana-dashboard-folder-delete - - unless: ls /opt/so/state/so-grafana-dashboard-folder-delete-complete - -{% for dashboard in DASHBOARDS | unique %} -{{dashboard}}-dashboard: - file.managed: - - name: /opt/so/conf/grafana/grafana_dashboards/{{dashboard}}.json - - user: 939 - - group: 939 - - template: jinja - - source: salt://grafana/dashboards/common_template.json.jinja - - defaults: - DASHBOARD: {{ dashboard }} - PANELS: {{GRAFANA_SETTINGS.dashboards[dashboard].panels}} - TEMPLATES: {{GRAFANA_SETTINGS.dashboards[dashboard].templating.list}} - TITLE: {{ GRAFANA_SETTINGS.dashboards[dashboard].get('title', dashboard| capitalize) }} - ID: {{ loop.index }} - UID: {{ dashboard }} -{% endfor %} - -so-grafana: - docker_container.running: - - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-grafana:{{ GLOBALS.so_version }} - - hostname: grafana - - user: socore - - networks: - - sobridge: - - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - - extra_hosts: - - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}} - - binds: - - /nsm/grafana:/var/lib/grafana:rw - - /opt/so/conf/grafana/etc/grafana.ini:/etc/grafana/grafana.ini:ro - - /opt/so/conf/grafana/etc/datasources:/etc/grafana/provisioning/datasources:rw - - /opt/so/conf/grafana/etc/dashboards:/etc/grafana/provisioning/dashboards:rw - - /opt/so/conf/grafana/grafana_dashboards:/etc/grafana/grafana_dashboards:rw - - /opt/so/conf/grafana/etc/files:/etc/grafana/config/files:ro - - environment: - - GF_SECURITY_ADMIN_PASSWORD={{ ADMINPASS }} - - port_bindings: - {% for BINDING in DOCKER.containers['so-grafana'].port_bindings %} - - {{ BINDING }} - {% endfor %} - - watch: - - file: /opt/so/conf/grafana/* - - require: - - file: grafana-config - -append_so-grafana_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-grafana - -{% endif %} - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja b/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja deleted file mode 100644 index 7d0f67135..000000000 --- a/salt/grafana/panels/cpu_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,223 +0,0 @@ -{ - "id": 100, - "gridPos": { - "x": {{ PANELS.cpu_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.cpu_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.cpu_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.cpu_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container CPU Usage Current", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 1, - "unit": "percent" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/n_cpus/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "color", - "value": { - "mode": "fixed", - "fixedColor": "dark-red" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_cpu", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(\"usage_percent\") FROM \"docker_container_cpu\" WHERE (\"host\" =~ /^$servername$/ AND \"container_name\" =~ /^$containers$/) AND $timeFilter GROUP BY time($__interval), \"container_name\", \"host\" fill(null)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: n_cpus*100", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "n_cpus" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - " * 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja deleted file mode 100644 index 2e2dbe797..000000000 --- a/salt/grafana/panels/cpu_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,220 +0,0 @@ -{ - "id": 101, - "gridPos": { - "x": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.cpu_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container CPU Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 1, - "unit": "percent" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/n_cpus/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "color", - "value": { - "mode": "fixed", - "fixedColor": "dark-red" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_cpu", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: n_cpus*100", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "system", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_n_cpus" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - " * 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_current_graph.json.jinja b/salt/grafana/panels/cpu_usage_current_graph.json.jinja deleted file mode 100644 index 15c70cedd..000000000 --- a/salt/grafana/panels/cpu_usage_current_graph.json.jinja +++ /dev/null @@ -1,150 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.cpu_usage_current_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_current_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_current_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_idle" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "*-1 + 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_guage.json.jinja b/salt/grafana/panels/cpu_usage_guage.json.jinja deleted file mode 100644 index d5cd949d8..000000000 --- a/salt/grafana/panels/cpu_usage_guage.json.jinja +++ /dev/null @@ -1,126 +0,0 @@ -{ - "id": 9, - "gridPos": { - "x": {{ PANELS.cpu_usage_guage.gridPos.x }}, - "y": {{ PANELS.cpu_usage_guage.gridPos.y }}, - "w": {{ PANELS.cpu_usage_guage.gridPos.w }}, - "h": {{ PANELS.cpu_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "CPU usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_idle" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* -1 + 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja deleted file mode 100644 index dea4c3d8c..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_all_graph.json.jinja +++ /dev/null @@ -1,193 +0,0 @@ -{ - "id": 61871, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_all_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(usage_user) as \"user\", mean(usage_system) as \"system\", mean(usage_softirq) as \"softirq\", mean(usage_steal) as \"steal\", mean(usage_nice) as \"nice\", mean(usage_irq) as \"irq\", mean(usage_iowait) as \"iowait\", mean(usage_guest) as \"guest\", mean(usage_guest_nice) as \"guest_nice\" FROM \"cpu\" WHERE \"host\" =~ /^$servername$/ and cpu = 'cpu-total' AND $timeFilter GROUP BY time($__interval), *", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_usage_user) as \"trend_user\", mean(mean_usage_system) as \"trend_system\", mean(mean_usage_softirq) as \"trend_softirq\", mean(mean_usage_steal) as \"trend_steal\", mean(mean_usage_nice) as \"trend_nice\", mean(mean_usage_irq) as \"trend_irq\", mean(mean_usage_iowait) as \"trend_iowait\", mean(mean_usage_guest) as \"trend_guest\", mean(mean_usage_guest_nice) as \"trend_guest_nice\" FROM \"so_long_term\".\"cpu\" WHERE \"host\" =~ /^$servername$/ and cpu = 'cpu-total' AND $timeFilter GROUP BY time($__interval), * fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja deleted file mode 100644 index 6a7371038..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_blocked_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69005, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_blocked_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Blocked", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(blocked) as blocked FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja deleted file mode 100644 index 2f56dffaa..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_paging_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69008, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_paging_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Paging", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(paging) as paging FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "interval": "30s", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja deleted file mode 100644 index 657321696..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_running_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69003, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_running_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Running", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(running) as running FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja deleted file mode 100644 index e88272d2d..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_sleeping_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69006, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_sleeping_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Sleeping", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(sleeping) as sleeping FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja deleted file mode 100644 index d45d59a18..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_stopped_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69007, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_stopped_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Stopped", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(stopped) as stopped FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja deleted file mode 100644 index f0c3005eb..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_unknown_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69009, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_unknown_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Unknown", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(unknown) as unknown FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja b/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja deleted file mode 100644 index 20149ae3b..000000000 --- a/salt/grafana/panels/cpu_usage_tasks_zombies_graph.json.jinja +++ /dev/null @@ -1,124 +0,0 @@ -{ - "id": 69004, - "gridPos": { - "x": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.x }}, - "y": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.y }}, - "w": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.w }}, - "h": {{ PANELS.cpu_usage_tasks_zombies_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "CPU Tasks Zombies", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(zombies) as zombies FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host, role ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/disk_io_bytes_graph.json.jinja b/salt/grafana/panels/disk_io_bytes_graph.json.jinja deleted file mode 100644 index 4b9c4c7ff..000000000 --- a/salt/grafana/panels/disk_io_bytes_graph.json.jinja +++ /dev/null @@ -1,189 +0,0 @@ -{ - "id": 60200, - "gridPos": { - "x": {{ PANELS.disk_io_bytes_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_bytes_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_bytes_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_bytes_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O bytes for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bytes", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(read_bytes),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(write_bytes),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_io_requests_graph.json.jinja b/salt/grafana/panels/disk_io_requests_graph.json.jinja deleted file mode 100644 index a3f95772c..000000000 --- a/salt/grafana/panels/disk_io_requests_graph.json.jinja +++ /dev/null @@ -1,190 +0,0 @@ -{ - "id": 13782, - "gridPos": { - "x": {{ PANELS.disk_io_requests_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_requests_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_requests_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_requests_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O requests for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "iops", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(reads),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(writes),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_io_time_graph.json.jinja b/salt/grafana/panels/disk_io_time_graph.json.jinja deleted file mode 100644 index fa7c7b51e..000000000 --- a/salt/grafana/panels/disk_io_time_graph.json.jinja +++ /dev/null @@ -1,189 +0,0 @@ -{ - "id": 56720, - "gridPos": { - "x": {{ PANELS.disk_io_time_graph.gridPos.x }}, - "y": {{ PANELS.disk_io_time_graph.gridPos.y }}, - "w": {{ PANELS.disk_io_time_graph.gridPos.w }}, - "h": {{ PANELS.disk_io_time_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk I/O time for /dev/$disk", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "ms", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(read_time),1s) as \"read\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_name: $col", - "dsType": "influxdb", - "function": "mean", - "groupBy": [ - { - "interval": "auto", - "params": [ - "auto" - ], - "type": "time" - }, - { - "key": "host", - "params": [ - "tag" - ], - "type": "tag" - }, - { - "key": "path", - "params": [ - "tag" - ], - "type": "tag" - } - ], - "measurement": "io_reads", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(write_time),1s) as \"write\" FROM \"diskio\" WHERE \"host\" =~ /$servername$/ AND \"name\" =~ /$disk$/ AND $timeFilter GROUP BY time($__interval), *", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "scopedVars": { - "disk": { - "text": "sda", - "value": "sda", - "selected": false - } - }, - "maxDataPoints": null, - "repeat": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_nsm_graph.json.jinja b/salt/grafana/panels/disk_usage_nsm_graph.json.jinja deleted file mode 100644 index 90212b681..000000000 --- a/salt/grafana/panels/disk_usage_nsm_graph.json.jinja +++ /dev/null @@ -1,211 +0,0 @@ -{ - "id": 68888, - "gridPos": { - "x": {{ PANELS.disk_usage_nsm_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_nsm_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_nsm_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_nsm_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /nsm", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) AS \"trend_total\", mean(mean_used) as \"trend_used\" FROM \"so_long_term\".\"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\" fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 2 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja b/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja deleted file mode 100644 index 7486b29d9..000000000 --- a/salt/grafana/panels/disk_usage_nsm_percent_graph.json.jinja +++ /dev/null @@ -1,149 +0,0 @@ -{ - "id": 47230, - "gridPos": { - "x": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_nsm_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /nsm", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1, - "min": 0, - "max": 100 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/nsm' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/nsm" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_root_graph.json.jinja b/salt/grafana/panels/disk_usage_root_graph.json.jinja deleted file mode 100644 index 07ac20bbe..000000000 --- a/salt/grafana/panels/disk_usage_root_graph.json.jinja +++ /dev/null @@ -1,211 +0,0 @@ -{ - "id": 61880, - "gridPos": { - "x": {{ PANELS.disk_usage_root_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_root_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_root_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_root_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: mountpoint $tag_path - $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) AS \"trend_total\", mean(mean_used) as \"trend_used\" FROM \"so_long_term\".\"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\" fill(linear)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "stepAfter", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 2 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja b/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja deleted file mode 100644 index 90cc3ff9b..000000000 --- a/salt/grafana/panels/disk_usage_root_percent_graph.json.jinja +++ /dev/null @@ -1,149 +0,0 @@ -{ - "id": 67830, - "gridPos": { - "x": {{ PANELS.disk_usage_root_percent_graph.gridPos.x }}, - "y": {{ PANELS.disk_usage_root_percent_graph.gridPos.y }}, - "w": {{ PANELS.disk_usage_root_percent_graph.gridPos.w }}, - "h": {{ PANELS.disk_usage_root_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Disk Usage /", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1, - "min": 0, - "max": 100 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) AS \"total\", mean(used) as \"used\" FROM \"disk\" WHERE \"host\" =~ /$servername$/ AND \"path\" = '/' AND $timeFilter GROUP BY time($__interval), \"host\", \"path\"", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja b/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja deleted file mode 100644 index fd296aeb1..000000000 --- a/salt/grafana/panels/elasticsearch_document_count_graph.json.jinja +++ /dev/null @@ -1,193 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.elasticsearch_document_count_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_document_count_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_document_count_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_document_count_graph.gridPos.h }} - }, - "id": 33, - "links": [], - "maxDataPoints": 750, - "nullPointMode": "connected", - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "docs_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "alias": "Document Count Current" - }, - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_docs_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "alias": "Document Count Trend", - "hide": false - } - ], - "thresholds": [], - "title": "Document Count", - "type": "graph", - "options": { - "alertThreshold": true - }, - "interval": "30s", - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:678" - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:679" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "fill": 1, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": false, - "current": true, - "total": false, - "avg": false, - "alignAsTable": true, - "rightSide": false - }, - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 0 - }, - "aliasColors": {}, - "seriesOverrides": [ - { - "$$hashKey": "object:1050", - "alias": "/Trend/", - "fill": 0, - "linewidth": 4, - "dashes": true, - "dashLength": 4 - } - ], - "timeRegions": [], - "cacheTimeout": null, - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja b/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja deleted file mode 100644 index aee84c813..000000000 --- a/salt/grafana/panels/elasticsearch_field_data_cache_size_graph.json.jinja +++ /dev/null @@ -1,191 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_field_data_cache_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 6363, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "fielddata_memory_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_fielddata_memory_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Fielddata Cache Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja b/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja deleted file mode 100644 index 0166ae4b6..000000000 --- a/salt/grafana/panels/elasticsearch_ingest_performance_nontc_graph.json.jinja +++ /dev/null @@ -1,796 +0,0 @@ -{ - "id": 445549, - "gridPos": { - "x": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_ingest_performance_nontc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Elastic Ingest Performance - $searchnode", - "repeat": "searchnode", - "repeatDirection": "v", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 0, - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "community.id_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_community_id_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "conditionals_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_conditional_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "convert_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_convert_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "data.index.name_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "F", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_date_index_name_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "data_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "G", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_date_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "dissect_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "H", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_dissect_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "dot.expander_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "I", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_dot_expander_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "geoip_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "K", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_geoip_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "grok_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "L", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_grok_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "json_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "O", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_json_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "kv_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "P", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_kv_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "lowercase_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "Q", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_lowercase_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "remove_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "R", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_remove_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "rename_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "S", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_rename_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "script_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "T", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_script_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "url_decodes", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"role\" = 'manager') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "U", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_user_agent_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - } - ], - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja b/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja deleted file mode 100644 index aaf997836..000000000 --- a/salt/grafana/panels/elasticsearch_ingest_performance_tc_graph.json.jinja +++ /dev/null @@ -1,793 +0,0 @@ -{ - "id": 445548, - "gridPos": { - "x": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_ingest_performance_tc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Elastic Ingest Performance", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "community.id_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_community_id_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "conditionals_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_conditional_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "convert_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_convert_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "data.index.name_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "F", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_date_index_name_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "data_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "G", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_date_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "dissect_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "H", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_dissect_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "dot.expander_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "I", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_dot_expander_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "geoip_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "K", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_geoip_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "grok_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "L", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_grok_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "json_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "O", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_json_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "kv_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "P", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_kv_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "lowercase_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "Q", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_lowercase_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "remove_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "R", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_remove_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "rename_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "S", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_rename_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "script_time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "T", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_script_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - }, - { - "alias": "url_decodes", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_difference(mode(\"ingest_processor_stats_date_index_name_time_in_millis\")) FROM \"elasticsearch_clusterstats_nodes\" WHERE (\"cluster_name\" = '$cluster_name') AND $timeFilter GROUP BY time($__interval) fill(linear)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "U", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "ingest_processor_stats_user_agent_time_in_millis" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [], - "type": "non_negative_difference" - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja b/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja deleted file mode 100644 index 2920ef314..000000000 --- a/salt/grafana/panels/elasticsearch_pipeline_time_nontc_graph.json.jinja +++ /dev/null @@ -1,153 +0,0 @@ -{ - "id": 445552, - "gridPos": { - "x": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_pipeline_time_nontc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Pipeline Time", - "datasource": "InfluxDB", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "$tag_host", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_pipeline_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/search/" - }, - { - "key": "role", - "value": "heavynode", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ] -} - - - - - - - diff --git a/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja b/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja deleted file mode 100644 index 42ac51038..000000000 --- a/salt/grafana/panels/elasticsearch_pipeline_time_tc_graph.json.jinja +++ /dev/null @@ -1,129 +0,0 @@ -{ - "id": 445552, - "gridPos": { - "x": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_pipeline_time_tc_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Pipeline Time", - "datasource": "InfluxDB", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "ms" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Time", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_clusterstats_nodes", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "ingest_processor_stats_pipeline_time_in_millis" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_difference", - "params": [] - } - ] - ], - "tags": [ - { - "key": "cluster_name", - "operator": "=", - "value": "$cluster_name" - } - ] - } - ] -} - - - - - - - diff --git a/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja b/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja deleted file mode 100644 index 554809b5c..000000000 --- a/salt/grafana/panels/elasticsearch_store_size_graph.json.jinja +++ /dev/null @@ -1,195 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "cacheTimeout": null, - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_store_size_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_store_size_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_store_size_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_store_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 63442, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "hideEmpty": true, - "max": false, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "links": [], - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "store_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_indices", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_store_size_in_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Store Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "decbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja b/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja deleted file mode 100644 index e1d8edd98..000000000 --- a/salt/grafana/panels/elasticsearch_thread_count_graph.json.jinja +++ /dev/null @@ -1,192 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.elasticsearch_thread_count_graph.gridPos.x }}, - "y": {{ PANELS.elasticsearch_thread_count_graph.gridPos.y }}, - "w": {{ PANELS.elasticsearch_thread_count_graph.gridPos.w }}, - "h": {{ PANELS.elasticsearch_thread_count_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 56565, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Count Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "elasticsearch_jvm", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "threads_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Count Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "elasticsearch_jvm", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_threads_count" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "Thread Count", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "decimals": 0, - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/influxdb_db_size_graph.json.jinja b/salt/grafana/panels/influxdb_db_size_graph.json.jinja deleted file mode 100644 index 71d636fe9..000000000 --- a/salt/grafana/panels/influxdb_db_size_graph.json.jinja +++ /dev/null @@ -1,191 +0,0 @@ -{ - "aliasColors": {}, - "bars": false, - "maxDataPoints": 750, - "interval": "30s", - "dashLength": 10, - "dashes": false, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "links": [] - }, - "overrides": [] - }, - "fill": 1, - "fillGradient": 0, - "gridPos": { - "x": {{ PANELS.influxdb_db_size_graph.gridPos.x }}, - "y": {{ PANELS.influxdb_db_size_graph.gridPos.y }}, - "w": {{ PANELS.influxdb_db_size_graph.gridPos.w }}, - "h": {{ PANELS.influxdb_db_size_graph.gridPos.h }} - }, - "hiddenSeries": false, - "id": 69, - "legend": { - "alignAsTable": true, - "avg": true, - "current": true, - "hideEmpty": true, - "max": true, - "min": false, - "rightSide": false, - "show": true, - "sort": "current", - "sortDesc": true, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "percentage": false, - "pluginVersion": "7.5.4", - "pointradius": 2, - "points": false, - "renderer": "flot", - "seriesOverrides": [ - { - "alias": "/Trend/", - "dashLength": 4, - "dashes": true, - "fill": 0, - "linewidth": 4 - } - ], - "spaceLength": 10, - "stack": false, - "steppedLine": false, - "targets": [ - { - "alias": "Size Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "influxsize", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "kbytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - }, - { - "alias": "Size Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "influxsize", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_kbytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "thresholds": [], - "timeFrom": null, - "timeRegions": [], - "timeShift": null, - "title": "InfluxDB Database Size", - "tooltip": { - "shared": true, - "sort": 0, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "format": "deckbytes", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": true - }, - { - "format": "short", - "label": null, - "logBase": 1, - "max": null, - "min": null, - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - } -} diff --git a/salt/grafana/panels/io_wait_graph.json.jinja b/salt/grafana/panels/io_wait_graph.json.jinja deleted file mode 100644 index 9447563ec..000000000 --- a/salt/grafana/panels/io_wait_graph.json.jinja +++ /dev/null @@ -1,148 +0,0 @@ -{ - "id": 69011, - "gridPos": { - "x": {{ PANELS.io_wait_graph.gridPos.x }}, - "y": {{ PANELS.io_wait_graph.gridPos.y }}, - "w": {{ PANELS.io_wait_graph.gridPos.w }}, - "h": {{ PANELS.io_wait_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "IO Wait", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_iowait" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "description": "", - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/io_wait_stat.json.jinja b/salt/grafana/panels/io_wait_stat.json.jinja deleted file mode 100644 index 4fe4a3d8e..000000000 --- a/salt/grafana/panels/io_wait_stat.json.jinja +++ /dev/null @@ -1,125 +0,0 @@ -{ - "id": 61867, - "gridPos": { - "x": {{ PANELS.io_wait_stat.gridPos.x }}, - "y": {{ PANELS.io_wait_stat.gridPos.y }}, - "w": {{ PANELS.io_wait_stat.gridPos.w }}, - "h": {{ PANELS.io_wait_stat.gridPos.h }} - }, - "type": "stat", - "title": "IOWait", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 40 - }, - { - "color": "dark-red", - "value": 50 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "cpu", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"usage_iowait\"), 1s) FROM \"cpu\" WHERE (host =~ /$servername$/ AND \"cpu\" = 'cpu-total') AND $timeFilter GROUP BY time($interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_iowait" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "cpu", - "operator": "=", - "value": "cpu-total" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/load_average_5_minute_stat.json.jinja b/salt/grafana/panels/load_average_5_minute_stat.json.jinja deleted file mode 100644 index 8198a8d19..000000000 --- a/salt/grafana/panels/load_average_5_minute_stat.json.jinja +++ /dev/null @@ -1,118 +0,0 @@ -{ - "id": 61859, - "gridPos": { - "x": {{ PANELS.load_average_5_minute_stat.gridPos.x }}, - "y": {{ PANELS.load_average_5_minute_stat.gridPos.y }}, - "w": {{ PANELS.load_average_5_minute_stat.gridPos.w }}, - "h": {{ PANELS.load_average_5_minute_stat.gridPos.h }} - }, - "type": "stat", - "title": "5 Minute Load Average - $cpucount Cores", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": "$cpucount / 1.5" - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": "$cpucount" - } - ] - }, - "mappings": [ - { - "options": { - "from": null, - "result": { - "text": "N/A" - }, - "to": null - }, - "type": "range" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 1, - "unit": "none" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT last(\"load5\") FROM \"system\" WHERE (\"host\" = '$servername') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "load5" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "cacheTimeout": null, - "maxDataPoints": null -} diff --git a/salt/grafana/panels/load_averages_graph.json.jinja b/salt/grafana/panels/load_averages_graph.json.jinja deleted file mode 100644 index b92a5ba6c..000000000 --- a/salt/grafana/panels/load_averages_graph.json.jinja +++ /dev/null @@ -1,187 +0,0 @@ -{ - "id": 61869, - "gridPos": { - "x": {{ PANELS.load_averages_graph.gridPos.x }}, - "y": {{ PANELS.load_averages_graph.gridPos.y }}, - "w": {{ PANELS.load_averages_graph.gridPos.w }}, - "h": {{ PANELS.load_averages_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "1 Minute Load Average", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(load1) as \"1 minute\", last(n_cpus) as \"Total Cores\" FROM \"system\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), * ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_load1) as \"trend_1 minute\" FROM \"so_long_term\".\"system\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), * fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja b/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja deleted file mode 100644 index 7812ca0bd..000000000 --- a/salt/grafana/panels/logstash_eps_in_out_manager_graph.json.jinja +++ /dev/null @@ -1,403 +0,0 @@ -{ - "id": 77741, - "gridPos": { - "x": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.x }}, - "y": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.y }}, - "w": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.w }}, - "h": {{ PANELS.logstash_eps_in_out_manager_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Manager Logstash Events", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "description": "Events from the grid to redis", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 50, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Incoming/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/Outgoing/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Outgoing hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Incoming hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/hidden/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "legend": true, - "tooltip": true, - "viz": false - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Incoming", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Outgoing", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Incoming hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - }, - { - "alias": "Outgoing hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ], - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja deleted file mode 100644 index c1c9ed39a..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_graph.json.jinja +++ /dev/null @@ -1,230 +0,0 @@ -{ - "id": 76, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS In", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) as \"current_in\" FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - }, - { - "refId": "B", - "hide": false, - "policy": "so_long_term", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "mean_in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"mean_in\"), 1s) as \"trend_in\" FROM \"so_long_term\".\"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null, - "transformations": [] -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja deleted file mode 100644 index f492dd4b9..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_stat.json.jinja +++ /dev/null @@ -1,136 +0,0 @@ -{ - "id": 23, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_stat.gridPos.h }} - }, - "type": "stat", - "title": "Estimated EPS In - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-red", - "value": null - }, - { - "color": "dark-green", - "value": 1 - } - ] - }, - "mappings": [ - { - "type": "special", - "options": { - "match": "null", - "result": { - "text": "N/A" - } - } - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events" - } - ], - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja deleted file mode 100644 index 42399b5ca..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_in_total_graph.json.jinja +++ /dev/null @@ -1,156 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_in_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS In - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true, - "alias": "Total EPS" - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja deleted file mode 100644 index 16878ee6e..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_graph.json.jinja +++ /dev/null @@ -1,230 +0,0 @@ -{ - "id": 69000, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS Out", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"out\"), 1s) as \"current_out\" FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - }, - { - "refId": "B", - "hide": false, - "policy": "so_long_term", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "mean_in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "alias": "$tag_host: $col", - "query": "SELECT non_negative_derivative(mean(\"mean_out\"), 1s) as \"trend_out\" FROM \"so_long_term\".\"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": true - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja deleted file mode 100644 index dc87661f5..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_stat.json.jinja +++ /dev/null @@ -1,136 +0,0 @@ -{ - "id": 22323, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_stat.gridPos.h }} - }, - "type": "stat", - "title": "Estimated EPS Out - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-red", - "value": null - }, - { - "color": "dark-green", - "value": 1 - } - ] - }, - "mappings": [ - { - "type": "special", - "options": { - "match": "null", - "result": { - "text": "N/A" - } - } - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events" - } - ], - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null -} diff --git a/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja b/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja deleted file mode 100644 index 3d1600c39..000000000 --- a/salt/grafana/panels/logstash_estimated_eps_out_total_graph.json.jinja +++ /dev/null @@ -1,156 +0,0 @@ -{ - "id": 69002, - "gridPos": { - "x": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_estimated_eps_out_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Estimated EPS Out - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true, - "alias": "Total EPS" - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "refId": "A", - "hide": false, - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "value": "/^$servername$/", - "operator": "=~" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "measurement": "logstash_events", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"host\" =~ /^$servername$/) AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja b/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja deleted file mode 100644 index ab7a569bb..000000000 --- a/salt/grafana/panels/logstash_indexing_eps_in_out_searchnode_graph.json.jinja +++ /dev/null @@ -1,411 +0,0 @@ -{ - "id": 445554, - "gridPos": { - "x": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.x }}, - "y": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.y }}, - "w": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.w }}, - "h": {{ PANELS.logstash_indexing_eps_in_out_searchnode_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Indexing Events Per Second - $searchnode", - "repeat": "searchnode", - "repeatDirection": "v", - "transformations": [], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 50, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Incoming/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/Outgoing/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Outgoing hidden" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Incoming" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Outgoing hidden" - }, - "properties": [ - { - "id": "custom.fillBelowTo", - "value": "Incoming hidden" - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/hidden/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "legend": true, - "tooltip": true, - "viz": false - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "multi" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Incoming", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Outgoing", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Incoming hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - }, - { - "alias": "Outgoing hidden", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "out" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$searchnode" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja b/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja deleted file mode 100644 index 81876a606..000000000 --- a/salt/grafana/panels/logstash_indexing_eps_in_searchnode_total_graph.json.jinja +++ /dev/null @@ -1,170 +0,0 @@ -{ - "id": 69001, - "gridPos": { - "x": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.x }}, - "y": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.y }}, - "w": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.w }}, - "h": {{ PANELS.logstash_indexing_eps_in_searchnode_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Total Searchnode Indexing Events Per Second", - "transformations": [ - { - "id": "calculateField", - "options": { - "alias": "Total EPS", - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "EPS", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "fixed", - "fixedColor": "orange" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "short" - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "logstash_events", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\"), 1s) FROM \"logstash_events\" WHERE (\"role\" = \"searchnode\") AND $timeFilter GROUP BY time($__interval), \"host\" fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "in" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/search/" - }, - { - "key": "role", - "value": "heavynode", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "standalone", - "operator": "=", - "condition": "OR" - }, - { - "key": "role", - "value": "eval", - "operator": "=", - "condition": "OR" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_graph.json.jinja b/salt/grafana/panels/management_interface_drops_graph.json.jinja deleted file mode 100644 index 9de6c8f19..000000000 --- a/salt/grafana/panels/management_interface_drops_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61877, - "gridPos": { - "x": {{ PANELS.management_interface_drops_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_in), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_out), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja b/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja deleted file mode 100644 index 1ca096743..000000000 --- a/salt/grafana/panels/management_interface_drops_inbound_graph.json.jinja +++ /dev/null @@ -1,142 +0,0 @@ -{ - "id": 61877, - "gridPos": { - "x": {{ PANELS.management_interface_drops_inbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_inbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_inbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja b/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja deleted file mode 100644 index 91fcb5b22..000000000 --- a/salt/grafana/panels/management_interface_drops_outbound_graph.json.jinja +++ /dev/null @@ -1,142 +0,0 @@ -{ - "id": 188189, - "gridPos": { - "x": {{ PANELS.management_interface_drops_outbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_drops_outbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_drops_outbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_drops_outbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Drops - Outbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_packets_graph.json.jinja b/salt/grafana/panels/management_interface_packets_graph.json.jinja deleted file mode 100644 index b3e429f2f..000000000 --- a/salt/grafana/panels/management_interface_packets_graph.json.jinja +++ /dev/null @@ -1,283 +0,0 @@ -{ - "id": 61875, - "gridPos": { - "x": {{ PANELS.management_interface_packets_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_packets_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_packets_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_packets_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Packets", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_recv), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [], - "hide": false - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_sent), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_recv), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_sent), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$manint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Packets per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja deleted file mode 100644 index e15bef885..000000000 --- a/salt/grafana/panels/management_interface_traffic_both_graph.json.jinja +++ /dev/null @@ -1,409 +0,0 @@ -{ - "id": 18, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_both_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_both_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_both_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_both_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic ", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "dash": [ - 4, - 10 - ], - "fill": "dash" - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: RX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: TX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: RX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "linear" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: TX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "linear" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja deleted file mode 100644 index 3f876a18d..000000000 --- a/salt/grafana/panels/management_interface_traffic_inbound_graph.json.jinja +++ /dev/null @@ -1,164 +0,0 @@ -{ - "id": 18, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" = '$servername' AND \"interface\" = '$manint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja b/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja deleted file mode 100644 index 48817d448..000000000 --- a/salt/grafana/panels/management_interface_traffic_outbound_graph.json.jinja +++ /dev/null @@ -1,162 +0,0 @@ -{ - "id": 69014, - "gridPos": { - "x": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.x }}, - "y": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.y }}, - "w": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.w }}, - "h": {{ PANELS.management_interface_traffic_outbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Management Interface Traffic - Outbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_sent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$manint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_usage_graph.json.jinja b/salt/grafana/panels/memory_usage_graph.json.jinja deleted file mode 100644 index 662eb18c1..000000000 --- a/salt/grafana/panels/memory_usage_graph.json.jinja +++ /dev/null @@ -1,208 +0,0 @@ -{ - "id": 61873, - "gridPos": { - "x": {{ PANELS.memory_usage_graph.gridPos.x }}, - "y": {{ PANELS.memory_usage_graph.gridPos.y }}, - "w": {{ PANELS.memory_usage_graph.gridPos.w }}, - "h": {{ PANELS.memory_usage_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Memory Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(total) as total, mean(used) as used, mean(cached) as cached, mean(free) as free, mean(buffered) as buffered FROM \"mem\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_total) as trend_total, mean(mean_used) as trend_used, mean(mean_cached) as trend_cached, mean(mean_free) as trend_free, mean(mean_buffered) as trend_buffered FROM \"so_long_term\".\"mem\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/total/" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "#C4162A", - "mode": "fixed" - } - }, - { - "id": "custom.fillOpacity", - "value": 0 - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_usage_percent_graph.json.jinja b/salt/grafana/panels/memory_usage_percent_graph.json.jinja deleted file mode 100644 index 620c3ea72..000000000 --- a/salt/grafana/panels/memory_usage_percent_graph.json.jinja +++ /dev/null @@ -1,139 +0,0 @@ -{ - "id": 69013, - "gridPos": { - "x": {{ PANELS.memory_usage_percent_graph.gridPos.x }}, - "y": {{ PANELS.memory_usage_percent_graph.gridPos.y }}, - "w": {{ PANELS.memory_usage_percent_graph.gridPos.w }}, - "h": {{ PANELS.memory_usage_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Memory Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "mem", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "interval": "30s", - "description": "", - "timeFrom": null, - "timeShift": null, - "maxDataPoints": null -} diff --git a/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja b/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja deleted file mode 100644 index 8a5ee72ce..000000000 --- a/salt/grafana/panels/memory_used_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,143 +0,0 @@ -{ - "id": 102, - "gridPos": { - "x": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.memory_used_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Memory Usage Current", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_mem", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "usage_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja deleted file mode 100644 index fb3aa402c..000000000 --- a/salt/grafana/panels/memory_used_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,143 +0,0 @@ -{ - "id": 103, - "gridPos": { - "x": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.memory_used_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Memory Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_mem", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "mean_usage_percent" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_drops_graph.json.jinja b/salt/grafana/panels/monitor_interface_drops_graph.json.jinja deleted file mode 100644 index 993926156..000000000 --- a/salt/grafana/panels/monitor_interface_drops_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61387, - "gridPos": { - "x": {{ PANELS.monitor_interface_drops_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_drops_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_drops_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_drops_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Drops", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_out), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_in), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_drop_out), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,interface fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja b/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja deleted file mode 100644 index 2c4574f84..000000000 --- a/salt/grafana/panels/monitor_interface_drops_inbound_graph.json.jinja +++ /dev/null @@ -1,125 +0,0 @@ -{ - "id": 188190, - "gridPos": { - "x": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_drops_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Drops - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Drops per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(drop_in), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), host,role fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_packets_graph.json.jinja b/salt/grafana/panels/monitor_interface_packets_graph.json.jinja deleted file mode 100644 index 4c44fdb87..000000000 --- a/salt/grafana/panels/monitor_interface_packets_graph.json.jinja +++ /dev/null @@ -1,282 +0,0 @@ -{ - "id": 61878, - "gridPos": { - "x": {{ PANELS.monitor_interface_packets_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_packets_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_packets_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_packets_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Packets", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "last" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_recv), 1s) as \"in\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(packets_sent), 1s) as \"out\" FROM \"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_recv), 1s) as \"trend_in\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "C", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $tag_interface: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(mean_packets_sent), 1s) as \"trend_out\" FROM \"so_long_term\".\"net\" WHERE host =~ /$servername/ AND interface =~ /$monint/ AND $timeFilter GROUP BY time($__interval), * fill(none)", - "rawQuery": true, - "refId": "D", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "Packets per second", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "pps", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja deleted file mode 100644 index 3c1a6fc74..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_both_graph.json.jinja +++ /dev/null @@ -1,276 +0,0 @@ -{ - "id": 10, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_both_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Traffic", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "dash": [ - 4, - 10 - ], - "fill": "dash" - } - } - ] - }, - { - "matcher": { - "id": "byRegexp", - "options": "/veth/" - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "tooltip": true, - "viz": true, - "legend": true - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "last" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_interface: RX Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - }, - { - "alias": "$tag_host: $tag_interface: RX Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "interface" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "net", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "description": "", - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja deleted file mode 100644 index 5365bd3ac..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_inbound_graph.json.jinja +++ /dev/null @@ -1,167 +0,0 @@ -{ - "id": 188188, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_inbound_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Interface Traffic - Inbound", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 2, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - }, - "lineStyle": { - "fill": "solid" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "bps", - "decimals": 1, - "min": 0 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" = '$servername' AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja b/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja deleted file mode 100644 index 67e92668d..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_inbound_total_graph.json.jinja +++ /dev/null @@ -1,178 +0,0 @@ -{ - "id": 224244, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_inbound_total_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Monitor Traffic - Selected Total", - "transformations": [ - { - "id": "calculateField", - "options": { - "alias": "Total Monitor Traffic", - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "replaceFields": true - } - } - ], - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "auto", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 1 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "decimals": 1, - "unit": "bps" - }, - "overrides": [] - }, - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" =~ /^$servername$/ AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "bytes_recv" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ] - } - ], - "cacheTimeout": null, - "description": "", - "maxDataPoints": null -} diff --git a/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja b/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja deleted file mode 100644 index 283d93f7a..000000000 --- a/salt/grafana/panels/monitor_interface_traffic_stat.json.jinja +++ /dev/null @@ -1,152 +0,0 @@ -{ - "id": 24, - "gridPos": { - "x": {{ PANELS.monitor_interface_traffic_stat.gridPos.x }}, - "y": {{ PANELS.monitor_interface_traffic_stat.gridPos.y }}, - "w": {{ PANELS.monitor_interface_traffic_stat.gridPos.w }}, - "h": {{ PANELS.monitor_interface_traffic_stat.gridPos.h }} - }, - "type": "stat", - "title": "Monitor Traffic - Selected Total", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(245, 54, 54, 0.9)", - "value": null - }, - { - "color": "rgba(50, 172, 45, 0.97)", - "value": 1 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "unit": "bps" - }, - "overrides": [] - }, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "net", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "bytes_recv" - ] - }, - { - "type": "mean", - "params": [] - }, - { - "type": "non_negative_derivative", - "params": [ - "1s" - ] - }, - { - "type": "math", - "params": [ - "*8" - ] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "interface", - "operator": "=~", - "value": "/^$monint$/" - } - ], - "query": "SELECT non_negative_derivative(mean(\"bytes_recv\"), 1s) *8 FROM \"net\" WHERE (\"host\" =~ /^$servername$/ AND \"interface\" = '$monint') AND $timeFilter GROUP BY time($__interval) fill(null)", - "rawQuery": false - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "interval": null, - "transformations": [ - { - "id": "calculateField", - "options": { - "mode": "reduceRow", - "reduce": { - "reducer": "sum" - }, - "alias": "Monitor Traffic", - "replaceFields": true - } - } - ], - "description": "" -} diff --git a/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja b/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja deleted file mode 100644 index 9a9d81504..000000000 --- a/salt/grafana/panels/network_usage_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,232 +0,0 @@ -{ - "id": 61868, - "gridPos": { - "x": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.network_usage_docker_combined_current_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Network Usage Current", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name RX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "rx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ], - "hide": false - }, - { - "alias": "$tag_host: $tag_container_name TX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "tx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 5, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja deleted file mode 100644 index b8dc975d8..000000000 --- a/salt/grafana/panels/network_usage_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,231 +0,0 @@ -{ - "id": 61461, - "gridPos": { - "x": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.network_usage_docker_combined_trend_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Container Network Usage Trend", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "5m", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $tag_container_name RX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_rx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - }, - { - "alias": "$tag_host: $tag_container_name TX", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "docker_container_net", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_tx_bytes" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "1s" - ], - "type": "non_negative_derivative" - }, - { - "params": [ - "*8" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 5, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bps", - "decimals": 1 - }, - "overrides": [] - }, - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/nsm_used_guage.json.jinja b/salt/grafana/panels/nsm_used_guage.json.jinja deleted file mode 100644 index 3175d3bfd..000000000 --- a/salt/grafana/panels/nsm_used_guage.json.jinja +++ /dev/null @@ -1,121 +0,0 @@ -{ - "id": 12, - "gridPos": { - "x": {{ PANELS.nsm_used_guage.gridPos.x }}, - "y": {{ PANELS.nsm_used_guage.gridPos.y }}, - "w": {{ PANELS.nsm_used_guage.gridPos.w }}, - "h": {{ PANELS.nsm_used_guage.gridPos.h }} - }, - "type": "gauge", - "title": "NSM used", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 85 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 95 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/nsm" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/pcap_retention_stat.json.jinja b/salt/grafana/panels/pcap_retention_stat.json.jinja deleted file mode 100644 index 138b18e6b..000000000 --- a/salt/grafana/panels/pcap_retention_stat.json.jinja +++ /dev/null @@ -1,113 +0,0 @@ -{ - "id": 26, - "gridPos": { - "x": {{ PANELS.pcap_retention_stat.gridPos.x }}, - "y": {{ PANELS.pcap_retention_stat.gridPos.y }}, - "w": {{ PANELS.pcap_retention_stat.gridPos.w }}, - "h": {{ PANELS.pcap_retention_stat.gridPos.h }} - }, - "type": "stat", - "title": "PCAP Retention", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 2, - "unit": "d" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto" - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "/86400" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/process_status_graph.json.jinja b/salt/grafana/panels/process_status_graph.json.jinja deleted file mode 100644 index 302175c36..000000000 --- a/salt/grafana/panels/process_status_graph.json.jinja +++ /dev/null @@ -1,203 +0,0 @@ -{ - "id": 61852, - "gridPos": { - "x": {{ PANELS.process_status_graph.gridPos.x }}, - "y": {{ PANELS.process_status_graph.gridPos.y }}, - "w": {{ PANELS.process_status_graph.gridPos.w }}, - "h": {{ PANELS.process_status_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Process Status", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "short", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "processes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(running) as running, mean(blocked) as blocked, mean(sleeping) as sleeping, mean(stopped) as stopped, mean(zombies) as zombies, mean(paging) as paging, mean(unknown) as unknown FROM \"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "blocked" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$server$/" - } - ] - }, - { - "alias": "$tag_host: $col", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "processes", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT mean(mean_running) as trend_running, mean(mean_blocked) as trend_blocked, mean(mean_sleeping) as trend_sleeping, mean(mean_stopped) as trend_stopped, mean(mean_zombies) as trend_zombies, mean(mean_paging) as trend_paging, mean(mean_unknown) as trend_unknown FROM \"so_long_term\".\"processes\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "blocked" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$server$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/ram_usage_guage.json.jinja b/salt/grafana/panels/ram_usage_guage.json.jinja deleted file mode 100644 index 813b9cba8..000000000 --- a/salt/grafana/panels/ram_usage_guage.json.jinja +++ /dev/null @@ -1,114 +0,0 @@ -{ - "id": 61860, - "gridPos": { - "x": {{ PANELS.ram_usage_guage.gridPos.x }}, - "y": {{ PANELS.ram_usage_guage.gridPos.y }}, - "w": {{ PANELS.ram_usage_guage.gridPos.w }}, - "h": {{ PANELS.ram_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "RAM usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "mem", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/redis_queue_graph.json.jinja b/salt/grafana/panels/redis_queue_graph.json.jinja deleted file mode 100644 index b33290008..000000000 --- a/salt/grafana/panels/redis_queue_graph.json.jinja +++ /dev/null @@ -1,208 +0,0 @@ -{ - "id": 55, - "gridPos": { - "x": {{ PANELS.redis_queue_graph.gridPos.x }}, - "y": {{ PANELS.redis_queue_graph.gridPos.y }}, - "w": {{ PANELS.redis_queue_graph.gridPos.w }}, - "h": {{ PANELS.redis_queue_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Redis Queue", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "short", - "decimals": 2 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean" - ] - } - }, - "targets": [ - { - "alias": "Queue Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "unparsed" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "condition": "OR", - "key": "role", - "operator": "=", - "value": "standalone" - } - ] - }, - { - "alias": "Queue Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_unparsed" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "role", - "operator": "=~", - "value": "/^manager/" - }, - { - "condition": "OR", - "key": "role", - "operator": "=", - "value": "standalone" - } - ] - } - ], - "maxDataPoints": null, - "description": "", - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/redis_queue_stat.json.jinja b/salt/grafana/panels/redis_queue_stat.json.jinja deleted file mode 100644 index b0b3d8946..000000000 --- a/salt/grafana/panels/redis_queue_stat.json.jinja +++ /dev/null @@ -1,95 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "color": { - "mode": "thresholds" - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.redis_queue_stat.gridPos.x }}, - "y": {{ PANELS.redis_queue_stat.gridPos.y }}, - "w": {{ PANELS.redis_queue_stat.gridPos.w }}, - "h": {{ PANELS.redis_queue_stat.gridPos.h }} - }, - "id": 68894, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "redisqueue", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "unparsed" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "title": "Redis Unparsed Queue", - "type": "stat", - "timeFrom": null, - "timeShift": null, - "interval": "30s" -} diff --git a/salt/grafana/panels/rootfs_used_guage.json.jinja b/salt/grafana/panels/rootfs_used_guage.json.jinja deleted file mode 100644 index b628d247c..000000000 --- a/salt/grafana/panels/rootfs_used_guage.json.jinja +++ /dev/null @@ -1,121 +0,0 @@ -{ - "id": 61866, - "gridPos": { - "x": {{ PANELS.rootfs_used_guage.gridPos.x }}, - "y": {{ PANELS.rootfs_used_guage.gridPos.y }}, - "w": {{ PANELS.rootfs_used_guage.gridPos.w }}, - "h": {{ PANELS.rootfs_used_guage.gridPos.h }} - }, - "type": "gauge", - "title": "RootFS used", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 70 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 80 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "disk", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - }, - { - "condition": "AND", - "key": "path", - "operator": "=", - "value": "/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/row_cpu.json.jinja b/salt/grafana/panels/row_cpu.json.jinja deleted file mode 100644 index 6384048d6..000000000 --- a/salt/grafana/panels/row_cpu.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_cpu.gridPos.x }}, - "y": {{ PANELS.row_cpu.gridPos.y }}, - "w": {{ PANELS.row_cpu.gridPos.w }}, - "h": {{ PANELS.row_cpu.gridPos.h }} - }, - "id": 2, - "panels": [], - "repeat": null, - "title": "CPU", - "type": "row" - } diff --git a/salt/grafana/panels/row_disk_iops.json.jinja b/salt/grafana/panels/row_disk_iops.json.jinja deleted file mode 100644 index f54494825..000000000 --- a/salt/grafana/panels/row_disk_iops.json.jinja +++ /dev/null @@ -1,22 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_disk_iops.gridPos.x }}, - "y": {{ PANELS.row_disk_iops.gridPos.y }}, - "w": {{ PANELS.row_disk_iops.gridPos.w }}, - "h": {{ PANELS.row_disk_iops.gridPos.h }} - }, - "id": 62055, - "panels": [], - "repeat": "disk", - "scopedVars": { - "disk": { - "selected": false, - "text": "sda", - "value": "sda" - } - }, - "title": "Disk IOPS for /dev/$disk", - "type": "row" -} diff --git a/salt/grafana/panels/row_disk_usage.json.jinja b/salt/grafana/panels/row_disk_usage.json.jinja deleted file mode 100644 index 2cfac7cb4..000000000 --- a/salt/grafana/panels/row_disk_usage.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_disk_usage.gridPos.x }}, - "y": {{ PANELS.row_disk_usage.gridPos.y }}, - "w": {{ PANELS.row_disk_usage.gridPos.w }}, - "h": {{ PANELS.row_disk_usage.gridPos.h }} - }, - "id": 3333, - "panels": [], - "repeat": null, - "title": "Disk Usage", - "type": "row" - } diff --git a/salt/grafana/panels/row_docker_details.json.jinja b/salt/grafana/panels/row_docker_details.json.jinja deleted file mode 100644 index bb06a57ed..000000000 --- a/salt/grafana/panels/row_docker_details.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_docker_details.gridPos.x }}, - "y": {{ PANELS.row_docker_details.gridPos.y }}, - "w": {{ PANELS.row_docker_details.gridPos.w }}, - "h": {{ PANELS.row_docker_details.gridPos.h }} - }, - "id": 4, - "panels": [], - "repeat": null, - "title": "Docker Details", - "type": "row" - } diff --git a/salt/grafana/panels/row_elasticsearch.json.jinja b/salt/grafana/panels/row_elasticsearch.json.jinja deleted file mode 100644 index 04340c3e2..000000000 --- a/salt/grafana/panels/row_elasticsearch.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_elasticsearch.gridPos.x }}, - "y": {{ PANELS.row_elasticsearch.gridPos.y }}, - "w": {{ PANELS.row_elasticsearch.gridPos.w }}, - "h": {{ PANELS.row_elasticsearch.gridPos.h }} - }, - "id": 2442, - "panels": [], - "repeat": null, - "title": "Elasticsearch", - "type": "row" - } diff --git a/salt/grafana/panels/row_influxdb.json.jinja b/salt/grafana/panels/row_influxdb.json.jinja deleted file mode 100644 index 7f3251cc9..000000000 --- a/salt/grafana/panels/row_influxdb.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_influxdb.gridPos.x }}, - "y": {{ PANELS.row_influxdb.gridPos.y }}, - "w": {{ PANELS.row_influxdb.gridPos.w }}, - "h": {{ PANELS.row_influxdb.gridPos.h }} - }, - "id": 43434, - "panels": [], - "repeat": null, - "title": "InfluxDB", - "type": "row" - } diff --git a/salt/grafana/panels/row_logstash.json.jinja b/salt/grafana/panels/row_logstash.json.jinja deleted file mode 100644 index e934dbd0e..000000000 --- a/salt/grafana/panels/row_logstash.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_logstash.gridPos.x }}, - "y": {{ PANELS.row_logstash.gridPos.y }}, - "w": {{ PANELS.row_logstash.gridPos.w }}, - "h": {{ PANELS.row_logstash.gridPos.h }} - }, - "id": 24242, - "panels": [], - "repeat": null, - "title": "Logstash", - "type": "row" - } diff --git a/salt/grafana/panels/row_memory.json.jinja b/salt/grafana/panels/row_memory.json.jinja deleted file mode 100644 index 33d203138..000000000 --- a/salt/grafana/panels/row_memory.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_memory.gridPos.x }}, - "y": {{ PANELS.row_memory.gridPos.y }}, - "w": {{ PANELS.row_memory.gridPos.w }}, - "h": {{ PANELS.row_memory.gridPos.h }} - }, - "id": 3, - "panels": [], - "repeat": null, - "title": "Memory", - "type": "row" - } diff --git a/salt/grafana/panels/row_network.json.jinja b/salt/grafana/panels/row_network.json.jinja deleted file mode 100644 index 6f611f580..000000000 --- a/salt/grafana/panels/row_network.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_network.gridPos.x }}, - "y": {{ PANELS.row_network.gridPos.y }}, - "w": {{ PANELS.row_network.gridPos.w }}, - "h": {{ PANELS.row_network.gridPos.h }} - }, - "id": 333, - "panels": [], - "repeat": null, - "title": "Network", - "type": "row" - } diff --git a/salt/grafana/panels/row_overview.json.jinja b/salt/grafana/panels/row_overview.json.jinja deleted file mode 100644 index d05a9394d..000000000 --- a/salt/grafana/panels/row_overview.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_overview.gridPos.x }}, - "y": {{ PANELS.row_overview.gridPos.y }}, - "w": {{ PANELS.row_overview.gridPos.w }}, - "h": {{ PANELS.row_overview.gridPos.h }} - }, - "id": 1, - "panels": [], - "repeat": null, - "title": "Overview", - "type": "row" - } diff --git a/salt/grafana/panels/row_packet_loss.json.jinja b/salt/grafana/panels/row_packet_loss.json.jinja deleted file mode 100644 index b9d2c8a96..000000000 --- a/salt/grafana/panels/row_packet_loss.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_packet_loss.gridPos.x }}, - "y": {{ PANELS.row_packet_loss.gridPos.y }}, - "w": {{ PANELS.row_packet_loss.gridPos.w }}, - "h": {{ PANELS.row_packet_loss.gridPos.h }} - }, - "id": 816341, - "panels": [], - "repeat": null, - "title": "Packet Loss", - "type": "row" - } diff --git a/salt/grafana/panels/row_redis.json.jinja b/salt/grafana/panels/row_redis.json.jinja deleted file mode 100644 index f0be53693..000000000 --- a/salt/grafana/panels/row_redis.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_redis.gridPos.x }}, - "y": {{ PANELS.row_redis.gridPos.y }}, - "w": {{ PANELS.row_redis.gridPos.w }}, - "h": {{ PANELS.row_redis.gridPos.h }} - }, - "id": 24812, - "panels": [], - "repeat": null, - "title": "Redis", - "type": "row" - } diff --git a/salt/grafana/panels/row_stenographer.json.jinja b/salt/grafana/panels/row_stenographer.json.jinja deleted file mode 100644 index 004757748..000000000 --- a/salt/grafana/panels/row_stenographer.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_stenographer.gridPos.x }}, - "y": {{ PANELS.row_stenographer.gridPos.y }}, - "w": {{ PANELS.row_stenographer.gridPos.w }}, - "h": {{ PANELS.row_stenographer.gridPos.h }} - }, - "id": 8812, - "panels": [], - "repeat": null, - "title": "Stenographer", - "type": "row" - } diff --git a/salt/grafana/panels/row_suricata.json.jinja b/salt/grafana/panels/row_suricata.json.jinja deleted file mode 100644 index d4dead5c5..000000000 --- a/salt/grafana/panels/row_suricata.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_suricata.gridPos.x }}, - "y": {{ PANELS.row_suricata.gridPos.y }}, - "w": {{ PANELS.row_suricata.gridPos.w }}, - "h": {{ PANELS.row_suricata.gridPos.h }} - }, - "id": 8481, - "panels": [], - "repeat": null, - "title": "Suricata", - "type": "row" - } diff --git a/salt/grafana/panels/row_swap.json.jinja b/salt/grafana/panels/row_swap.json.jinja deleted file mode 100644 index c465dcc6e..000000000 --- a/salt/grafana/panels/row_swap.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_swap.gridPos.x }}, - "y": {{ PANELS.row_swap.gridPos.y }}, - "w": {{ PANELS.row_swap.gridPos.w }}, - "h": {{ PANELS.row_swap.gridPos.h }} - }, - "id": 444, - "panels": [], - "repeat": null, - "title": "Swap", - "type": "row" - } diff --git a/salt/grafana/panels/row_zeek.json.jinja b/salt/grafana/panels/row_zeek.json.jinja deleted file mode 100644 index 1b236a543..000000000 --- a/salt/grafana/panels/row_zeek.json.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{ - "collapsed": false, - "datasource": null, - "gridPos": { - "x": {{ PANELS.row_zeek.gridPos.x }}, - "y": {{ PANELS.row_zeek.gridPos.y }}, - "w": {{ PANELS.row_zeek.gridPos.w }}, - "h": {{ PANELS.row_zeek.gridPos.h }} - }, - "id": 21281, - "panels": [], - "repeat": null, - "title": "Zeek", - "type": "row" - } diff --git a/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja b/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja deleted file mode 100644 index 0fb56dbe7..000000000 --- a/salt/grafana/panels/stenographer_packet_loss_graph.json.jinja +++ /dev/null @@ -1,229 +0,0 @@ -{ - "id": 19, - "gridPos": { - "x": {{ PANELS.stenographer_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.stenographer_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.stenographer_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.stenographer_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Stenographer Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.stenographer_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja b/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja deleted file mode 100644 index 863772fcd..000000000 --- a/salt/grafana/panels/stenographer_packet_loss_stat.json.jinja +++ /dev/null @@ -1,114 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:1120", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.stenographer_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.stenographer_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.stenographer_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.stenographer_packet_loss_stat.gridPos.h }} - }, - "id": 22, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "stenodrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Stenographer Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "cacheTimeout": null, - "interval": null, - "pluginVersion": "7.5.4" -} diff --git a/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja b/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja deleted file mode 100644 index 83c51a73d..000000000 --- a/salt/grafana/panels/stenographer_pcap_retention_graph.json.jinja +++ /dev/null @@ -1,207 +0,0 @@ -{ - "id": 2239, - "gridPos": { - "x": {{ PANELS.stenographer_pcap_retention_graph.gridPos.x }}, - "y": {{ PANELS.stenographer_pcap_retention_graph.gridPos.y }}, - "w": {{ PANELS.stenographer_pcap_retention_graph.gridPos.w }}, - "h": {{ PANELS.stenographer_pcap_retention_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Stenographer PCAP Retention", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "maxDataPoints": 750, - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "s", - "decimals": 2 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "hidden", - "placement": "bottom", - "calcs": [] - } - }, - "targets": [ - { - "alias": "$tag_host: Oldest Pcap Current", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "$tag_host: Oldest Pcap Trend", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "measurement": "pcapage", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_seconds" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/suricata_packet_loss_graph.json.jinja b/salt/grafana/panels/suricata_packet_loss_graph.json.jinja deleted file mode 100644 index eb26f9d8b..000000000 --- a/salt/grafana/panels/suricata_packet_loss_graph.json.jinja +++ /dev/null @@ -1,241 +0,0 @@ -{ - "id": 21, - "gridPos": { - "x": {{ PANELS.suricata_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.suricata_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.suricata_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.suricata_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Suricata Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.suricata_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/suricata_packet_loss_stat.json.jinja b/salt/grafana/panels/suricata_packet_loss_stat.json.jinja deleted file mode 100644 index 87a3f48e5..000000000 --- a/salt/grafana/panels/suricata_packet_loss_stat.json.jinja +++ /dev/null @@ -1,120 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:949", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.suricata_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.suricata_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.suricata_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.suricata_packet_loss_stat.gridPos.h }} - }, - "id": 20, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "suridrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Suricata Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "cacheTimeout": null, - "interval": null -} diff --git a/salt/grafana/panels/swap_io_bytes_graph.json.jinja b/salt/grafana/panels/swap_io_bytes_graph.json.jinja deleted file mode 100644 index fe7989870..000000000 --- a/salt/grafana/panels/swap_io_bytes_graph.json.jinja +++ /dev/null @@ -1,187 +0,0 @@ -{ - "id": 68890, - "gridPos": { - "x": {{ PANELS.swap_io_bytes_graph.gridPos.x }}, - "y": {{ PANELS.swap_io_bytes_graph.gridPos.y }}, - "w": {{ PANELS.swap_io_bytes_graph.gridPos.w }}, - "h": {{ PANELS.swap_io_bytes_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Swap I/O Bytes", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "bottom", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"in\")) as \"in\", non_negative_derivative(mean(\"out\")) as \"out\" FROM \"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - }, - { - "alias": "$tag_host: $col", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": false, - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT non_negative_derivative(mean(\"mean_in\")) as \"trend_in\", non_negative_derivative(mean(\"mean_out\")) as \"trend_out\" FROM \"so_long_term\".\"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host fill(linear) ORDER BY asc", - "queryType": "randomWalk", - "rawQuery": true, - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "value" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [] - } - ], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "unit": "bytes", - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/swap_usage_bytes_graph.json.jinja b/salt/grafana/panels/swap_usage_bytes_graph.json.jinja deleted file mode 100644 index 4986b72a5..000000000 --- a/salt/grafana/panels/swap_usage_bytes_graph.json.jinja +++ /dev/null @@ -1,184 +0,0 @@ -{ - "type": "graph", - "title": "Swap Usage", - "gridPos": { - "x": {{ PANELS.swap_usage_bytes_graph.gridPos.x }}, - "y": {{ PANELS.swap_usage_bytes_graph.gridPos.y }}, - "w": {{ PANELS.swap_usage_bytes_graph.gridPos.w }}, - "h": {{ PANELS.swap_usage_bytes_graph.gridPos.h }} - }, - "id": 68892, - "targets": [ - { - "refId": "A", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "value" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "query": "SELECT mean(used) as \"used\", mean(total) as \"total\" FROM \"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "alias": "$tag_host: $col" - }, - { - "refId": "B", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "value" - ] - }, - { - "type": "mean", - "params": [] - } - ] - ], - "query": "SELECT mean(mean_used) as \"trend_used\", mean(mean_total) as \"trend_total\" FROM \"so_long_term\".\"swap\" WHERE host =~ /$servername$/ AND $timeFilter GROUP BY time($__interval), host ORDER BY asc", - "rawQuery": true, - "alias": "$tag_host: $col", - "hide": false - } - ], - "options": { - "alertThreshold": true - }, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": null, - "show": true, - "logBase": 1, - "min": "0", - "max": null, - "format": "bytes", - "$$hashKey": "object:515" - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:516" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "fill": 1, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": true, - "current": true, - "total": false, - "avg": true, - "alignAsTable": true - }, - "nullPointMode": "connected", - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 0 - }, - "aliasColors": {}, - "seriesOverrides": [ - { - "$$hashKey": "object:575", - "alias": "/total/", - "fill": 0, - "color": "#C4162A" - }, - { - "$$hashKey": "object:596", - "alias": "/trend/", - "fill": 0, - "linewidth": 4, - "dashes": true, - "dashLength": 4 - } - ], - "thresholds": [], - "timeRegions": [], - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "maxDataPoints": 750, - "interval": "30s" -} diff --git a/salt/grafana/panels/swap_usage_guage.json.jinja b/salt/grafana/panels/swap_usage_guage.json.jinja deleted file mode 100644 index f7e3d4f34..000000000 --- a/salt/grafana/panels/swap_usage_guage.json.jinja +++ /dev/null @@ -1,115 +0,0 @@ -{ - "id": 61863, - "gridPos": { - "x": {{ PANELS.swap_usage_guage.gridPos.x }}, - "y": {{ PANELS.swap_usage_guage.gridPos.y }}, - "w": {{ PANELS.swap_usage_guage.gridPos.w }}, - "h": {{ PANELS.swap_usage_guage.gridPos.h }} - }, - "type": "gauge", - "title": "Swap usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "links": [], - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgba(50, 172, 45, 0.97)", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 50 - }, - { - "color": "rgba(245, 54, 54, 0.9)", - "value": 70 - } - ] - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "color": { - "mode": "thresholds" - }, - "decimals": 0, - "max": 100, - "min": 0, - "unit": "percent" - }, - "overrides": [] - }, - "interval": "30", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "showThresholdLabels": false, - "showThresholdMarkers": true, - "text": {} - }, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "swap", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ], - "orderByTime": "ASC" - } - ], - "maxDataPoints": null, - "cacheTimeout": null -} diff --git a/salt/grafana/panels/swap_usage_percent_graph.json.jinja b/salt/grafana/panels/swap_usage_percent_graph.json.jinja deleted file mode 100644 index 875107fd7..000000000 --- a/salt/grafana/panels/swap_usage_percent_graph.json.jinja +++ /dev/null @@ -1,141 +0,0 @@ -{ - "id": 69873, - "gridPos": { - "x": {{ PANELS.swap_usage_percent_graph.gridPos.x }}, - "y": {{ PANELS.swap_usage_percent_graph.gridPos.y }}, - "w": {{ PANELS.swap_usage_percent_graph.gridPos.w }}, - "h": {{ PANELS.swap_usage_percent_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Swap Usage", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "unit": "percent", - "decimals": 1 - }, - "overrides": [] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host $tag_role", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "swap", - "orderByTime": "ASC", - "policy": "default", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "used_percent" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "interval": "30s", - "maxDataPoints": null -} diff --git a/salt/grafana/panels/system_uptime.json.jinja b/salt/grafana/panels/system_uptime.json.jinja deleted file mode 100644 index fc2cb69ac..000000000 --- a/salt/grafana/panels/system_uptime.json.jinja +++ /dev/null @@ -1,91 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "rgb(255, 255, 255)", - "value": null - } - ] - }, - "mappings": [], - "decimals": 2, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.system_uptime.gridPos.x }}, - "y": {{ PANELS.system_uptime.gridPos.y }}, - "w": {{ PANELS.system_uptime.gridPos.w }}, - "h": {{ PANELS.system_uptime.gridPos.h }} - }, - "id": 39, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "system", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "uptime" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "title": "System Uptime", - "type": "stat" -} diff --git a/salt/grafana/panels/system_uptime_graph.json.jinja b/salt/grafana/panels/system_uptime_graph.json.jinja deleted file mode 100644 index bf26b520f..000000000 --- a/salt/grafana/panels/system_uptime_graph.json.jinja +++ /dev/null @@ -1,148 +0,0 @@ -{ - "type": "graph", - "title": "System Uptime", - "gridPos": { - "x": {{ PANELS.system_uptime_graph.gridPos.x }}, - "y": {{ PANELS.system_uptime_graph.gridPos.y }}, - "w": {{ PANELS.system_uptime_graph.gridPos.w }}, - "h": {{ PANELS.system_uptime_graph.gridPos.h }} - }, - "id": 69016, - "targets": [ - { - "refId": "A", - "queryType": "randomWalk", - "policy": "default", - "resultFormat": "time_series", - "orderByTime": "ASC", - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ], - "groupBy": [ - { - "type": "time", - "params": [ - "$__interval" - ] - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "tag", - "params": [ - "role" - ] - }, - { - "type": "fill", - "params": [ - "null" - ] - } - ], - "select": [ - [ - { - "type": "field", - "params": [ - "uptime" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "measurement": "system", - "alias": "$tag_host $tag_role" - } - ], - "options": { - "alertThreshold": true - }, - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "pluginVersion": "7.5.4", - "renderer": "flot", - "yaxes": [ - { - "label": "", - "show": true, - "logBase": 1, - "min": "0", - "max": "604800", - "format": "s", - "$$hashKey": "object:213", - "decimals": 1 - }, - { - "label": null, - "show": true, - "logBase": 1, - "min": null, - "max": null, - "format": "short", - "$$hashKey": "object:214" - } - ], - "xaxis": { - "show": true, - "mode": "time", - "name": null, - "values": [], - "buckets": null - }, - "yaxis": { - "align": false, - "alignLevel": null - }, - "lines": true, - "linewidth": 1, - "dashLength": 10, - "spaceLength": 10, - "pointradius": 2, - "legend": { - "show": true, - "values": true, - "min": false, - "max": false, - "current": true, - "total": false, - "avg": false, - "alignAsTable": true, - "rightSide": true - }, - "nullPointMode": "connected", - "tooltip": { - "value_type": "individual", - "shared": true, - "sort": 1 - }, - "aliasColors": {}, - "seriesOverrides": [], - "thresholds": [], - "timeRegions": [], - "fill": 0, - "fillGradient": 0, - "dashes": false, - "hiddenSeries": false, - "points": false, - "bars": false, - "stack": false, - "percentage": false, - "steppedLine": false, - "decimals": 1, - "description": "" -} diff --git a/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja b/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja deleted file mode 100644 index ad4ff2805..000000000 --- a/salt/grafana/panels/uptime_docker_combined_current_graph.json.jinja +++ /dev/null @@ -1,168 +0,0 @@ -{ - "aliasColors": {}, - "dashLength": 10, - "datasource": "InfluxDB", - "decimals": 1, - "fieldConfig": { - "defaults": {}, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.uptime_docker_combined_current_graph.gridPos.x }}, - "y": {{ PANELS.uptime_docker_combined_current_graph.gridPos.y }}, - "w": {{ PANELS.uptime_docker_combined_current_graph.gridPos.w }}, - "h": {{ PANELS.uptime_docker_combined_current_graph.gridPos.h }} - }, - "id": 68896, - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": false, - "total": false, - "values": true - }, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "pluginVersion": "7.5.4", - "pointradius": 2, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "targets": [ - { - "alias": "$tag_host $tag_role $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "type": "tag", - "params": [ - "role" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_status", - "orderByTime": "ASC", - "policy": "default", - "query": "SELECT last(\"uptime_ns\") FROM \"docker_container_status\" WHERE (\"host\" =~ /^$servername$/ AND \"container_name\" =~ /^$containers$/) AND $timeFilter GROUP BY time($__interval), \"container_name\", \"host\", \"role\" fill(null)", - "queryType": "randomWalk", - "rawQuery": false, - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "uptime_ns" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ], - "slimit": "", - "limit": "" - } - ], - "thresholds": [], - "timeRegions": [], - "title": "Container Uptime Current", - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "type": "graph", - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:192", - "format": "ns", - "label": null, - "logBase": 1, - "max": "604800000000000", - "min": "0", - "show": true, - "decimals": 1 - }, - { - "$$hashKey": "object:193", - "decimals": 2, - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - }, - "bars": false, - "dashes": false, - "fill": 0, - "fillGradient": 0, - "hiddenSeries": false, - "percentage": false, - "points": false, - "stack": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja b/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja deleted file mode 100644 index a4be68137..000000000 --- a/salt/grafana/panels/uptime_docker_combined_trend_graph.json.jinja +++ /dev/null @@ -1,165 +0,0 @@ -{ - "id": 68999, - "gridPos": { - "x": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.x }}, - "y": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.y }}, - "w": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.w }}, - "h": {{ PANELS.uptime_docker_combined_trend_graph.gridPos.h }} - }, - "type": "graph", - "title": "Container Uptime Trend", - "datasource": "InfluxDB", - "thresholds": [ - { - "$$hashKey": "object:1299", - "colorMode": "critical", - "fill": false, - "line": true, - "op": "lt", - "value": 4500000000000, - "yaxis": "left" - } - ], - "pluginVersion": "8.2.1", - "legend": { - "alignAsTable": true, - "avg": false, - "current": true, - "max": false, - "min": false, - "rightSide": true, - "show": true, - "sort": "current", - "sortDesc": false, - "total": false, - "values": true - }, - "aliasColors": {}, - "dashLength": 10, - "decimals": 1, - "lines": true, - "linewidth": 1, - "nullPointMode": "connected", - "options": { - "alertThreshold": true - }, - "pointradius": 2, - "renderer": "flot", - "seriesOverrides": [], - "spaceLength": 10, - "targets": [ - { - "alias": "$tag_host: $tag_container_name", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "container_name" - ], - "type": "tag" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "docker_container_status", - "orderByTime": "ASC", - "policy": "so_long_term", - "queryType": "randomWalk", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "type": "field", - "params": [ - "mean_uptime_ns" - ] - }, - { - "type": "last", - "params": [] - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - }, - { - "condition": "AND", - "key": "container_name", - "operator": "=~", - "value": "/^$containers$/" - } - ] - } - ], - "timeRegions": [], - "tooltip": { - "shared": true, - "sort": 1, - "value_type": "individual" - }, - "xaxis": { - "buckets": null, - "mode": "time", - "name": null, - "show": true, - "values": [] - }, - "yaxes": [ - { - "$$hashKey": "object:192", - "format": "ns", - "label": null, - "logBase": 1, - "max": "604800000000000", - "min": null, - "show": true, - "decimals": 1 - }, - { - "$$hashKey": "object:193", - "decimals": 2, - "format": "short", - "label": "", - "logBase": 1, - "max": null, - "min": "0", - "show": false - } - ], - "yaxis": { - "align": false, - "alignLevel": null - }, - "interval": "30s", - "bars": false, - "dashes": false, - "fill": 0, - "fillGradient": 0, - "hiddenSeries": false, - "percentage": false, - "points": false, - "stack": false, - "steppedLine": false, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_capture_loss_graph.json.jinja b/salt/grafana/panels/zeek_capture_loss_graph.json.jinja deleted file mode 100644 index 53adcd7fa..000000000 --- a/salt/grafana/panels/zeek_capture_loss_graph.json.jinja +++ /dev/null @@ -1,203 +0,0 @@ -{ - "id": 71, - "gridPos": { - "x": {{ PANELS.zeek_capture_loss_graph.gridPos.x }}, - "y": {{ PANELS.zeek_capture_loss_graph.gridPos.y }}, - "w": {{ PANELS.zeek_capture_loss_graph.gridPos.w }}, - "h": {{ PANELS.zeek_capture_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Capture Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 10, - "gradientMode": "none", - "spanNulls": true, - "showPoints": "auto", - "pointSize": 6, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "decimals": 1, - "min": 0 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "$tag_host: Loss Current", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "type": "tag", - "params": [ - "host" - ] - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "zeekcaptureloss", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "loss" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "$tag_host: Loss Trend", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "hide": true, - "measurement": "zeekcaptureloss", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_loss" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_packet_loss_graph.json.jinja b/salt/grafana/panels/zeek_packet_loss_graph.json.jinja deleted file mode 100644 index 7d2c8ae2b..000000000 --- a/salt/grafana/panels/zeek_packet_loss_graph.json.jinja +++ /dev/null @@ -1,244 +0,0 @@ -{ - "id": 2022, - "gridPos": { - "x": {{ PANELS.zeek_packet_loss_graph.gridPos.x }}, - "y": {{ PANELS.zeek_packet_loss_graph.gridPos.y }}, - "w": {{ PANELS.zeek_packet_loss_graph.gridPos.w }}, - "h": {{ PANELS.zeek_packet_loss_graph.gridPos.h }} - }, - "type": "timeseries", - "title": "Zeek Packet Loss", - "datasource": "InfluxDB", - "pluginVersion": "8.2.1", - "interval": "30s", - "links": [], - "fieldConfig": { - "defaults": { - "custom": { - "drawStyle": "line", - "lineInterpolation": "linear", - "barAlignment": 0, - "lineWidth": 1, - "fillOpacity": 0, - "gradientMode": "none", - "spanNulls": false, - "showPoints": "never", - "pointSize": 5, - "stacking": { - "mode": "none", - "group": "A" - }, - "axisPlacement": "auto", - "axisLabel": "", - "scaleDistribution": { - "type": "linear" - }, - "hideFrom": { - "tooltip": false, - "viz": false, - "legend": false - }, - "thresholdsStyle": { - "mode": "off" - }, - "lineStyle": { - "fill": "solid" - } - }, - "color": { - "mode": "palette-classic" - }, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "value": null, - "color": "green" - }, - { - "value": 80, - "color": "red" - } - ] - }, - "mappings": [], - "links": [], - "unit": "percent", - "min": 0, - "decimals": 1 - }, - "overrides": [ - { - "matcher": { - "id": "byRegexp", - "options": "/Trend/" - }, - "properties": [ - { - "id": "custom.fillOpacity", - "value": 0 - }, - { - "id": "custom.lineWidth", - "value": 4 - }, - { - "id": "custom.lineStyle", - "value": { - "fill": "dash", - "dash": [ - 4, - 10 - ] - } - } - ] - } - ] - }, - "options": { - "tooltip": { - "mode": "single" - }, - "legend": { - "displayMode": "table", - "placement": "right", - "calcs": [ - "max", - "mean", - "lastNotNull" - ] - } - }, - "targets": [ - { - "alias": "Current $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - }, - { - "alias": "Trend $tag_host $tag_role", - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "host" - ], - "type": "tag" - }, - { - "params": [ - "role" - ], - "type": "tag" - }, - { - "params": [ - "none" - ], - "type": "fill" - } - ], - "hide": {{ PANELS.zeek_packet_loss_graph.get('hideTrend', false)|json }}, - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "so_long_term", - "refId": "B", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "mean_drop" - ], - "type": "field" - }, - { - "params": [], - "type": "mean" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=~", - "value": "/^$servername$/" - } - ] - } - ], - "maxDataPoints": null, - "cacheTimeout": null, - "timeFrom": null, - "timeShift": null -} diff --git a/salt/grafana/panels/zeek_packet_loss_stat.json.jinja b/salt/grafana/panels/zeek_packet_loss_stat.json.jinja deleted file mode 100644 index 9d43f5a76..000000000 --- a/salt/grafana/panels/zeek_packet_loss_stat.json.jinja +++ /dev/null @@ -1,120 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "dark-green", - "value": null - }, - { - "color": "rgba(237, 129, 40, 0.89)", - "value": 1 - }, - { - "color": "dark-red", - "value": 5 - } - ] - }, - "mappings": [ - { - "op": "=", - "text": "N/A", - "value": "null", - "$$hashKey": "object:818", - "id": 0, - "type": 1 - } - ], - "unit": "percent", - "decimals": 2, - "color": { - "mode": "thresholds" - } - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.zeek_packet_loss_stat.gridPos.x }}, - "y": {{ PANELS.zeek_packet_loss_stat.gridPos.y }}, - "w": {{ PANELS.zeek_packet_loss_stat.gridPos.w }}, - "h": {{ PANELS.zeek_packet_loss_stat.gridPos.h }} - }, - "id": 2123, - "links": [], - "maxDataPoints": 100, - "targets": [ - { - "dsType": "influxdb", - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "zeekdrop", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "drop" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - }, - { - "params": [ - "* 100" - ], - "type": "math" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "title": "Zeek Packet Loss", - "type": "stat", - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "lastNotNull" - ], - "fields": "" - }, - "orientation": "horizontal", - "text": {}, - "textMode": "value", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "cacheTimeout": null, - "interval": null -} diff --git a/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja b/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja deleted file mode 100644 index 85dda1154..000000000 --- a/salt/grafana/panels/zeek_restarts_healthcheck_stat.json.jinja +++ /dev/null @@ -1,93 +0,0 @@ -{ - "datasource": "InfluxDB", - "fieldConfig": { - "defaults": { - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 1 - } - ] - }, - "mappings": [] - }, - "overrides": [] - }, - "gridPos": { - "x": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.x }}, - "y": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.y }}, - "w": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.w }}, - "h": {{ PANELS.zeek_restarts_healthcheck_stat.gridPos.h }} - }, - "id": 37, - "options": { - "reduceOptions": { - "values": false, - "calcs": [ - "sum" - ], - "fields": "" - }, - "orientation": "auto", - "text": {}, - "textMode": "auto", - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto" - }, - "pluginVersion": "7.5.4", - "targets": [ - { - "groupBy": [ - { - "params": [ - "$__interval" - ], - "type": "time" - }, - { - "params": [ - "null" - ], - "type": "fill" - } - ], - "measurement": "healthcheck", - "orderByTime": "ASC", - "policy": "default", - "refId": "A", - "resultFormat": "time_series", - "select": [ - [ - { - "params": [ - "zeek_restart" - ], - "type": "field" - }, - { - "params": [], - "type": "last" - } - ] - ], - "tags": [ - { - "key": "host", - "operator": "=", - "value": "$servername" - } - ] - } - ], - "timeFrom": null, - "timeShift": null, - "title": "Zeek Restarts via Healthcheck", - "type": "stat" -} diff --git a/salt/grafana/soc_grafana.yaml b/salt/grafana/soc_grafana.yaml deleted file mode 100644 index a1b056544..000000000 --- a/salt/grafana/soc_grafana.yaml +++ /dev/null @@ -1,49 +0,0 @@ -grafana: - config: - smtp: - enabled: - description: Enable the sending of emails from Grafana. - global: True - helpLink: grafana.html - host: - description: Hostname of the SMTP server. - global: True - helpLink: grafana.html - user: - description: Username for the SMTP server. - global: True - helpLink: grafana.html - password: - description: Password for the SMTP server. - global: True - sensitive: True - helpLink: grafana.html - cert_file: - description: Location of cert file for the SMTP server. - global: True - helpLink: grafana.html - key_file: - description: Location of key file for the SMTP server. - global: True - helpLink: grafana.html - skip_verify: - description: Verify SSL certificates. - global: True - helpLink: grafana.html - from_address: - description: The email address you would like in the From field. - global: True - helpLink: grafana.html - from_name: - description: The name displayed for the From email address. - global: True - helpLink: grafana.html - ehlo_identity: - description: Used for servers with SMTP service extensions. - global: True - helpLink: grafana.html - enterprise: - license_path: - description: Path to enterprise license key. - global: True - helpLink: grafana.html diff --git a/salt/grafana/templates/cluster_name.json b/salt/grafana/templates/cluster_name.json deleted file mode 100644 index bf6dbfb3f..000000000 --- a/salt/grafana/templates/cluster_name.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.cluster_name.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.cluster_name.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"cluster_name\"", - "description": null, - "error": null, - "hide": {{ TEMPLATES.cluster_name.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.cluster_name.get('includeAll', true)| json }}, - "label": "Cluster Name", - "multi": {{ TEMPLATES.cluster_name.get('multi', true)| json }}, - "name": "cluster_name", - "options": [], - "query": "show tag values with key=\"cluster_name\"", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" -} diff --git a/salt/grafana/templates/containers.json b/salt/grafana/templates/containers.json deleted file mode 100644 index 955c5c8e3..000000000 --- a/salt/grafana/templates/containers.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SHOW TAG VALUES ON telegraf WITH KEY = container_name WHERE (_name = 'docker_container_cpu') AND ((host =~ /^$servername$/) AND (_tagKey = 'container_name'))", - "description": null, - "error": null, - "hide": 0, - "includeAll": true, - "label": "Docker Containers", - "multi": true, - "name": "containers", - "options": [], - "query": "SHOW TAG VALUES ON telegraf WITH KEY = container_name WHERE (_name = 'docker_container_cpu') AND ((host =~ /^$servername$/) AND (_tagKey = 'container_name'))", - "refresh": 1, - "regex": "/so-*/", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/cpucount.json b/salt/grafana/templates/cpucount.json deleted file mode 100644 index c41889565..000000000 --- a/salt/grafana/templates/cpucount.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "allValue": null, - "current": {}, - "datasource": "InfluxDB", - "definition": "SELECT last(\"n_cpus\") FROM \"system\" WHERE \"host\" =~ /^$servername$/", - "description": null, - "error": null, - "hide": 2, - "includeAll": false, - "label": "CPU Count", - "multi": false, - "name": "cpucount", - "options": [], - "query": "SELECT last(\"n_cpus\") FROM \"system\" WHERE \"host\" =~ /^$servername$/", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/disk.json b/salt/grafana/templates/disk.json deleted file mode 100644 index ac1b190af..000000000 --- a/salt/grafana/templates/disk.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": "InfluxDB", - "definition": "", - "description": null, - "error": null, - "hide": 0, - "includeAll": true, - "label": "Disk", - "multi": true, - "name": "disk", - "options": [], - "query": "SHOW TAG VALUES ON telegraf FROM \"diskio\" WITH KEY = \"name\" WHERE host =~ /$servername/", - "refresh": 1, - "regex": "[a-z]d[\\D]$|nvme[\\d]n[\\d]$", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": null, - "tags": [], - "tagsQuery": null, - "type": "query", - "useTags": false -} - - - - - - - - - - - diff --git a/salt/grafana/templates/manint.json b/salt/grafana/templates/manint.json deleted file mode 100644 index 22015d274..000000000 --- a/salt/grafana/templates/manint.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SELECT \"manint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "description": null, - "error": null, - "hide": 2, - "includeAll": true, - "label": "Management Interface", - "multi": true, - "name": "manint", - "options": [], - "query": "SELECT \"manint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/monint.json b/salt/grafana/templates/monint.json deleted file mode 100644 index 417ea8e62..000000000 --- a/salt/grafana/templates/monint.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [], - "value": [] - }, - "datasource": "InfluxDB", - "definition": "SELECT \"monint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "description": null, - "error": null, - "hide": 2, - "includeAll": true, - "label": "Monitor Interface", - "multi": true, - "name": "monint", - "options": [], - "query": "SELECT \"monint\" FROM \"node_config\" WHERE (\"host\" =~ /^$servername$/)", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } diff --git a/salt/grafana/templates/role.json b/salt/grafana/templates/role.json deleted file mode 100644 index de51ff5d2..000000000 --- a/salt/grafana/templates/role.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.role.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.role.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"role\"", - "description": null, - "error": null, - "hide": {{ TEMPLATES.role.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.role.get('includeAll', true)| json }}, - "label": "Role", - "multi": {{ TEMPLATES.role.get('multi', true)| json }}, - "name": "role", - "options": [], - "query": "show tag values with key=\"role\"", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false -} diff --git a/salt/grafana/templates/searchnode.json b/salt/grafana/templates/searchnode.json deleted file mode 100644 index 57365cc57..000000000 --- a/salt/grafana/templates/searchnode.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.searchnode.get('text', DASHBOARD)| json }}], - "value": [{{ TEMPLATES.searchnode.get('value', DASHBOARD)| json }}] - }, - "datasource": "InfluxDB", - "definition": "show tag values with key=\"host\" WHERE (\"role\" =~ /search/) OR (\"role\" = 'heavynode') OR (\"role\" = 'standalone') OR (\"role\" = 'eval') ", - "description": null, - "error": null, - "hide": {{ TEMPLATES.searchnode.get('hide', 0)| json }}, - "includeAll": {{ TEMPLATES.searchnode.get('includeAll', true)| json }}, - "label": "Searchnode", - "multi": {{ TEMPLATES.searchnode.get('multi', true)| json }}, - "name": "searchnode", - "options": [], - "query": "show tag values with key=\"host\" WHERE (\"role\" =~ /search/) OR (\"role\" = 'heavynode') OR (\"role\" = 'standalone') OR (\"role\" = 'eval') ", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" -} diff --git a/salt/grafana/templates/servername.json b/salt/grafana/templates/servername.json deleted file mode 100644 index aaa90acfc..000000000 --- a/salt/grafana/templates/servername.json +++ /dev/null @@ -1,34 +0,0 @@ -{% if DASHBOARD == 'overview' %} - {% set query = "show tag values with key=\\\"host\\\" WHERE (\\\"role\\\" =~ /^$role$/)" %} -{% else %} -{% set query = "show tag values with key=\\\"host\\\" WHERE (\\\"role\\\" = '" ~ DASHBOARD ~ "' )" %} -{% endif %} -{ - "allValue": null, - "current": { - "selected": true, - "tags": [], - "text": [{{ TEMPLATES.servername.get('text', '')| json }}], - "value": [{{ TEMPLATES.servername.get('value', '')| json }}] - }, - "datasource": "InfluxDB", - "definition": "{{ query }}", - "description": "", - "error": null, - "hide": 0, - "includeAll": true, - "label": "Node", - "multi": true, - "name": "servername", - "options": [], - "query": "{{ query }}", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 1, - "tagValuesQuery": "", - "tags": [], - "tagsQuery": "", - "type": "query", - "useTags": false - } From 9d4e4830dd2cba3636b57b8e289f4d6c04ef1e18 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 14:19:29 -0500 Subject: [PATCH 130/470] add podman state --- salt/podman/files/podman.service | 17 +++++++++++ salt/podman/files/podman.socket | 10 +++++++ salt/podman/init.sls | 51 ++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 salt/podman/files/podman.service create mode 100644 salt/podman/files/podman.socket create mode 100644 salt/podman/init.sls diff --git a/salt/podman/files/podman.service b/salt/podman/files/podman.service new file mode 100644 index 000000000..eaa2ec437 --- /dev/null +++ b/salt/podman/files/podman.service @@ -0,0 +1,17 @@ +[Unit] +Description=Podman API Service +Requires=podman.socket +After=podman.socket +Documentation=man:podman-api(1) +StartLimitIntervalSec=0 + +[Service] +Type=oneshot +Environment=REGISTRIES_CONFIG_PATH=/etc/containers/registries.conf +ExecStart=/usr/bin/podman system service +TimeoutStopSec=30 +KillMode=process + +[Install] +WantedBy=multi-user.target +Also=podman.socket diff --git a/salt/podman/files/podman.socket b/salt/podman/files/podman.socket new file mode 100644 index 000000000..8b22e31e4 --- /dev/null +++ b/salt/podman/files/podman.socket @@ -0,0 +1,10 @@ +[Unit] +Description=Podman API Socket +Documentation=man:podman-api(1) + +[Socket] +ListenStream=%t/podman/podman.sock +SocketMode=0660 + +[Install] +WantedBy=sockets.target diff --git a/salt/podman/init.sls b/salt/podman/init.sls new file mode 100644 index 000000000..0c369c2c6 --- /dev/null +++ b/salt/podman/init.sls @@ -0,0 +1,51 @@ +Pip pkg: + pkg.installed: + - name: python3-pip + +Podman pkg: + pkg.installed: + - name: podman + +#Podman service: +# file.managed: +# - name: /usr/lib/systemd/system/podman.service +# - source: salt://podman/podman.service + +#Podman socket: +# file.managed: +# - name: /usr/lib/systemd/system/podman.socket +# - source: salt://podman/podman.socket +# service.running: +# - name: podman.socket +# - enable: true + +Docker socket: + file.symlink: + - name: /var/run/docker.sock + - target: /var/run/podman/podman.sock + +podman_docker_symlink: + file.symlink: + - name: /usr/bin/docker + - target: /usr/local/bin/podman + +Docker python: + pip.installed: + - bin_env: /usr/bin/pip3 + - reload_modules: true + - pkgs: + - certifi #==2019.11.28 + - chardet #==3.0.4 + - docker #==4.2.1 + - idna #==2.9 + # - requests==2.23.0 + - six #==1.14.0 + - urllib3 #==1.25.8 + - websocket-client #==0.57.0 + +restart_salt_minion: + cmd.run: + - name: 'salt-call service.restart salt-minion' + - bg: true + - onchanges: + - pip: Docker python From 49549c3d61914a6fc1452bbdafaf26f785e53378 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 14:24:55 -0500 Subject: [PATCH 131/470] remove unneedfuls from podman state --- salt/podman/init.sls | 49 ++++++++++++-------------------------------- 1 file changed, 13 insertions(+), 36 deletions(-) diff --git a/salt/podman/init.sls b/salt/podman/init.sls index 0c369c2c6..3bd77417c 100644 --- a/salt/podman/init.sls +++ b/salt/podman/init.sls @@ -1,23 +1,21 @@ -Pip pkg: - pkg.installed: - - name: python3-pip - Podman pkg: pkg.installed: - name: podman -#Podman service: -# file.managed: -# - name: /usr/lib/systemd/system/podman.service -# - source: salt://podman/podman.service +{# +Podman service: + file.managed: + - name: /usr/lib/systemd/system/podman.service + - source: salt://podman/podman.service -#Podman socket: -# file.managed: -# - name: /usr/lib/systemd/system/podman.socket -# - source: salt://podman/podman.socket -# service.running: -# - name: podman.socket -# - enable: true +Podman socket: + file.managed: + - name: /usr/lib/systemd/system/podman.socket + - source: salt://podman/podman.socket + service.running: + - name: podman.socket + - enable: true +#} Docker socket: file.symlink: @@ -28,24 +26,3 @@ podman_docker_symlink: file.symlink: - name: /usr/bin/docker - target: /usr/local/bin/podman - -Docker python: - pip.installed: - - bin_env: /usr/bin/pip3 - - reload_modules: true - - pkgs: - - certifi #==2019.11.28 - - chardet #==3.0.4 - - docker #==4.2.1 - - idna #==2.9 - # - requests==2.23.0 - - six #==1.14.0 - - urllib3 #==1.25.8 - - websocket-client #==0.57.0 - -restart_salt_minion: - cmd.run: - - name: 'salt-call service.restart salt-minion' - - bg: true - - onchanges: - - pip: Docker python From 6fd68351ecb2ec926a68d18d5ff4f46db7c5b180 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 14:30:55 -0500 Subject: [PATCH 132/470] fix more python depends --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b25561729..d358e9429 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2002,7 +2002,7 @@ saltify() { if [[ $is_rocky ]]; then # THIS IS A TEMP HACK - logCmd "dnf -y install securityonion-salt python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" + logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" logCmd "mkdir -p /etc/salt/minion.d" if [[ $waitforstate ]]; then # Since this is a salt master so let's install it From 160ed46d964a93ffe9b6f82296c6e43aed12dfcd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 14:59:07 -0500 Subject: [PATCH 133/470] podman and remove filebeat --- salt/podman/init.sls | 20 +++++++++++++++++++- salt/top.sls | 34 ---------------------------------- setup/so-setup | 2 +- 3 files changed, 20 insertions(+), 36 deletions(-) diff --git a/salt/podman/init.sls b/salt/podman/init.sls index 3bd77417c..eb6ab5503 100644 --- a/salt/podman/init.sls +++ b/salt/podman/init.sls @@ -1,3 +1,5 @@ +{% from 'docker/docker.map.jinja' import DOCKER %} + Podman pkg: pkg.installed: - name: podman @@ -7,15 +9,18 @@ Podman service: file.managed: - name: /usr/lib/systemd/system/podman.service - source: salt://podman/podman.service +#} Podman socket: +{# file.managed: - name: /usr/lib/systemd/system/podman.socket - source: salt://podman/podman.socket +#} service.running: - name: podman.socket - enable: true -#} + Docker socket: file.symlink: @@ -26,3 +31,16 @@ podman_docker_symlink: file.symlink: - name: /usr/bin/docker - target: /usr/local/bin/podman + +sos_docker_net: + docker_network.present: + - name: sobridge + - subnet: {{ DOCKER.sorange }} + - gateway: {{ DOCKER.sobip }} + - options: + com.docker.network.bridge.name: 'sobridge' + com.docker.network.driver.mtu: '1500' + com.docker.network.bridge.enable_ip_masquerade: 'true' + com.docker.network.bridge.enable_icc: 'true' + com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' + - unless: 'docker network ls | grep sobridge' diff --git a/salt/top.sls b/salt/top.sls index f0b60deb5..272e6d8a9 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -8,7 +8,6 @@ {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} -{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', False) %} {% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} @@ -62,9 +61,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - schedule - docker_clean @@ -102,9 +98,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - curator {%- if ELASTALERT %} - elastalert @@ -153,9 +146,6 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - utility - schedule - soctopus @@ -202,9 +192,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - curator {%- if ELASTALERT %} - elastalert @@ -229,9 +216,6 @@ base: {%- if LOGSTASH %} - logstash {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - schedule - docker_clean @@ -270,9 +254,6 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - utility - schedule - soctopus @@ -296,9 +277,6 @@ base: - redis {%- endif %} - curator - {%- if FILEBEAT %} - - filebeat - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -307,9 +285,6 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - schedule - docker_clean @@ -336,9 +311,6 @@ base: {%- if KIBANA %} - kibana.so_savedobjects_defaults {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - utility - suricata - zeek @@ -358,9 +330,6 @@ base: {%- if REDIS %} - redis {%- endif %} - {%- if FILEBEAT %} - - filebeat - {%- endif %} - schedule - docker_clean @@ -372,9 +341,6 @@ base: - firewall - schedule - docker_clean - {%- if FILEBEAT %} - - filebeat - {%- endif %} - idh 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': diff --git a/setup/so-setup b/setup/so-setup index 9448a4011..f9243dfa5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -579,7 +579,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" - logCmd "salt-call state.apply docker" + logCmd "salt-call state.apply podman" firewall_generate_templates set_initial_firewall_policy From 03cd67431d247f09aaada5d459e5940fe7a121cb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 15:36:45 -0500 Subject: [PATCH 134/470] start and enable podman services --- salt/podman/init.sls | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/salt/podman/init.sls b/salt/podman/init.sls index eb6ab5503..8a0303708 100644 --- a/salt/podman/init.sls +++ b/salt/podman/init.sls @@ -11,16 +11,15 @@ Podman service: - source: salt://podman/podman.service #} -Podman socket: -{# - file.managed: - - name: /usr/lib/systemd/system/podman.socket - - source: salt://podman/podman.socket -#} +Podman_socket_service: service.running: - name: podman.socket - enable: true +Podman_service: + service.running: + - name: podman.service + - enable: true Docker socket: file.symlink: From 4bafb408946c63036a33e89eab1df8912d2f0f4b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Feb 2023 15:38:54 -0500 Subject: [PATCH 135/470] fix registry from restart --- salt/registry/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 428cfd81d..cb8035e44 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -53,6 +53,8 @@ so-dockerregistry: - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro - client_timeout: 180 + - environment: + - HOME=/root - retry: attempts: 5 interval: 30 From 5fff06602aa72512402c5cdc1feaab799ae6eeaa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Feb 2023 15:41:42 -0500 Subject: [PATCH 136/470] change symlink --- salt/podman/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/podman/init.sls b/salt/podman/init.sls index 8a0303708..8fe1950da 100644 --- a/salt/podman/init.sls +++ b/salt/podman/init.sls @@ -29,7 +29,7 @@ Docker socket: podman_docker_symlink: file.symlink: - name: /usr/bin/docker - - target: /usr/local/bin/podman + - target: /usr/bin/podman sos_docker_net: docker_network.present: From f00c7169ceada4ebb5ab2b434596906b19e71741 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 Feb 2023 09:24:55 -0500 Subject: [PATCH 137/470] update test scenarios --- .../automation/distributed-net-centos-manager | 66 ----------------- ...ricata-manager => distributed-net-manager} | 2 +- ...t-centos-search => distributed-net-search} | 0 ...t-centos-sensor => distributed-net-sensor} | 2 +- .../automation/distributed-net-ubuntu-manager | 66 ----------------- .../automation/distributed-net-ubuntu-search | 68 ------------------ .../automation/distributed-net-ubuntu-sensor | 68 ------------------ .../distributed-net-ubuntu-suricata-search | 68 ------------------ .../distributed-net-ubuntu-suricata-sensor | 70 ------------------- .../automation/{eval-net-centos => eval-net} | 0 setup/automation/eval-net-ubuntu | 66 ----------------- .../{import-net-centos => import-net} | 2 +- setup/automation/import-net-ubuntu | 66 ----------------- setup/automation/standalone-iso-logscan | 67 ------------------ ...standalone-iso-suricata => standalone-net} | 2 +- setup/automation/standalone-net-centos | 66 ----------------- setup/automation/standalone-net-centos-proxy | 67 ------------------ setup/automation/standalone-net-ubuntu | 66 ----------------- 18 files changed, 4 insertions(+), 808 deletions(-) delete mode 100644 setup/automation/distributed-net-centos-manager rename setup/automation/{distributed-net-ubuntu-suricata-manager => distributed-net-manager} (99%) rename setup/automation/{distributed-net-centos-search => distributed-net-search} (100%) rename setup/automation/{distributed-net-centos-sensor => distributed-net-sensor} (98%) delete mode 100644 setup/automation/distributed-net-ubuntu-manager delete mode 100644 setup/automation/distributed-net-ubuntu-search delete mode 100644 setup/automation/distributed-net-ubuntu-sensor delete mode 100644 setup/automation/distributed-net-ubuntu-suricata-search delete mode 100644 setup/automation/distributed-net-ubuntu-suricata-sensor rename setup/automation/{eval-net-centos => eval-net} (100%) delete mode 100644 setup/automation/eval-net-ubuntu rename setup/automation/{import-net-centos => import-net} (98%) delete mode 100644 setup/automation/import-net-ubuntu delete mode 100644 setup/automation/standalone-iso-logscan rename setup/automation/{standalone-iso-suricata => standalone-net} (98%) delete mode 100644 setup/automation/standalone-net-centos delete mode 100644 setup/automation/standalone-net-centos-proxy delete mode 100644 setup/automation/standalone-net-ubuntu diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager deleted file mode 100644 index c601d3283..000000000 --- a/setup/automation/distributed-net-centos-manager +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-manager -install_type=MANAGER -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-manager similarity index 99% rename from setup/automation/distributed-net-ubuntu-suricata-manager rename to setup/automation/distributed-net-manager index 1285eb6ba..fff5bdb39 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-manager @@ -35,7 +35,7 @@ MANAGERADV=BASIC # MGATEWAY= # MIP= # MMASK= -MNIC=ens18 +MNIC=eth0 # MSEARCH= # MSRV= # MTU= diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-search similarity index 100% rename from setup/automation/distributed-net-centos-search rename to setup/automation/distributed-net-search diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-sensor similarity index 98% rename from setup/automation/distributed-net-centos-sensor rename to setup/automation/distributed-net-sensor index 4b38ff510..eb104f1a8 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-sensor @@ -18,7 +18,7 @@ BASICZEEK=2 BASICSURI=2 # BLOGS= BNICS=eth1 -ZEEKVERSION=ZEEK +ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC # HELIXAPIKEY= diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager deleted file mode 100644 index 4cc4f65d9..000000000 --- a/setup/automation/distributed-net-ubuntu-manager +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-manager -install_type=MANAGER -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search deleted file mode 100644 index 0ad135e1a..000000000 --- a/setup/automation/distributed-net-ubuntu-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -# BASICZEEK=7 -# BASICSURI=7 -# BLOGS= -# BNICS=eth1 -# ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.62 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor deleted file mode 100644 index c69ec3200..000000000 --- a/setup/automation/distributed-net-ubuntu-sensor +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=ens19 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.62 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -# NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search deleted file mode 100644 index bc1956e52..000000000 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -# BASICZEEK=7 -# BASICSURI=7 -# BLOGS= -# BNICS=eth1 -# ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.66 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=ADVANCED -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor deleted file mode 100644 index f54fd19a3..000000000 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=ens19 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.66 -MTU=1500 -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -# NODESETUP=NODEBASIC -NSMSETUP=ADVANCED -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -SURIPINS=(2 3) -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r -ZEEKPINS=(0 1) diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net similarity index 100% rename from setup/automation/eval-net-centos rename to setup/automation/eval-net diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu deleted file mode 100644 index 1f16bb336..000000000 --- a/setup/automation/eval-net-ubuntu +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=ens19 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-net-centos b/setup/automation/import-net similarity index 98% rename from setup/automation/import-net-centos rename to setup/automation/import-net index a18400148..e58a3961a 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net @@ -18,7 +18,7 @@ BASICZEEK=2 BASICSURI=2 # BLOGS= #BNICS=eth1 -ZEEKVERSION=ZEEK +ZEEKVERSION=SURICATA # CURCLOSEDAYS= # EVALADVANCED=BASIC # HELIXAPIKEY= diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu deleted file mode 100644 index 82240f4f6..000000000 --- a/setup/automation/import-net-ubuntu +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=import -install_type=IMPORT -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -# SOREMOTEPASS1=onionuser -# SOREMOTEPASS2=onionuser -STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso-logscan b/setup/automation/standalone-iso-logscan deleted file mode 100644 index 9e5f29602..000000000 --- a/setup/automation/standalone-iso-logscan +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -LEARN_LOGSCAN_ENABLE=true -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-net similarity index 98% rename from setup/automation/standalone-iso-suricata rename to setup/automation/standalone-net index 625930a07..23019f788 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-net @@ -8,7 +8,7 @@ TESTING=true -address_type=DHCP +# address_type=DHCP ADMINUSER=onionuser ADMINPASS1=onionuser ADMINPASS2=onionuser diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos deleted file mode 100644 index 4179ac39c..000000000 --- a/setup/automation/standalone-net-centos +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy deleted file mode 100644 index ffabf5ebd..000000000 --- a/setup/automation/standalone-net-centos-proxy +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -so_proxy=http://onionuser:0n10nus3r@10.66.166.30:3128 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu deleted file mode 100644 index ad17ec756..000000000 --- a/setup/automation/standalone-net-ubuntu +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=ens19 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=ens18 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r From 2b6685c887614ea5b0734a3e9ececc9562fd23b0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 Feb 2023 09:27:02 -0500 Subject: [PATCH 138/470] restore kilo version --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 197c4d5c2..7f2e97617 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0 +2.4.0-kilo From 653062b7c9c986f86b014a77a33090c866856fd7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Feb 2023 09:46:52 -0500 Subject: [PATCH 139/470] run podman state early --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 272e6d8a9..1896d5fb3 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -21,6 +21,7 @@ base: '*': - cron.running - repo.client + - podman - ntp 'not G@saltversion:{{saltversion}}': From 173b15b46e218fbae5ced7da2eab71242b971b2e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 09:58:07 -0500 Subject: [PATCH 140/470] Add python3-rich for sostatus --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 9fd9f4e51..d91e1b714 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -50,4 +50,5 @@ commonpkgs: - python3-docker - python3-m2crypto - rsync + - python3-rich {% endif %} From 6cfa16c25119fbd50da892251e066068e61b6443 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 10:00:09 -0500 Subject: [PATCH 141/470] fix reposync script --- salt/common/tools/sbin/so-repo-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 4a9cc3b18..dee71b64c 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -11,6 +11,6 @@ set_version set_os salt_minion_count -curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup" +curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ crete_repo /nsm/repo \ No newline at end of file From f34e144629d26e9de324fca3b704e6afd8905e76 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 10:01:27 -0500 Subject: [PATCH 142/470] removes filebeat --- .../tools/sbin/so-filebeat-module-setup | 58 ------------------- salt/common/tools/sbin/so-filebeat-restart | 12 ---- salt/common/tools/sbin/so-filebeat-start | 12 ---- salt/common/tools/sbin/so-filebeat-stop | 12 ---- 4 files changed, 94 deletions(-) delete mode 100755 salt/common/tools/sbin/so-filebeat-module-setup delete mode 100755 salt/common/tools/sbin/so-filebeat-restart delete mode 100755 salt/common/tools/sbin/so-filebeat-start delete mode 100755 salt/common/tools/sbin/so-filebeat-stop diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup deleted file mode 100755 index 43c816087..000000000 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - -default_conf_dir=/opt/so/conf -ELASTICSEARCH_HOST="{{ MYIP }}" -ELASTICSEARCH_PORT=9200 -#ELASTICSEARCH_AUTH="" - -# Define a default directory to load pipelines from -FB_MODULE_YML="/usr/share/filebeat/module-setup.yml" - - -# Wait for ElasticSearch to initialize -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo -fi -echo "Testing to see if the pipelines are already applied" -ESVER=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) - -if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then - echo "Setting up ingest pipeline(s)" -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} -{%- for module in MODULESMERGED.modules.keys() %} - {%- for fileset in MODULESMERGED.modules[module] %} - echo "{{ module }}.{{ fileset}}" - docker exec -i so-filebeat filebeat setup --pipelines --modules {{ module }} -M "{{ module }}.{{ fileset }}.enabled=true" -c $FB_MODULE_YML - sleep 0.5 - {% endfor %} -{%- endfor %} -else - exit 0 -fi diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart deleted file mode 100755 index 97ccbb0ee..000000000 --- a/salt/common/tools/sbin/so-filebeat-restart +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-restart filebeat $1 diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start deleted file mode 100755 index cf148d49a..000000000 --- a/salt/common/tools/sbin/so-filebeat-start +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-start filebeat $1 diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop deleted file mode 100755 index d3c50fef0..000000000 --- a/salt/common/tools/sbin/so-filebeat-stop +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -. /usr/sbin/so-common - -/usr/sbin/so-stop filebeat $1 From b402b84d11e5924981269a80399426d572966a91 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 10:04:56 -0500 Subject: [PATCH 143/470] fix reposync --- salt/common/tools/sbin/so-repo-sync | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index dee71b64c..8ee9e0581 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -12,5 +12,5 @@ set_os salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup -reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ -crete_repo /nsm/repo \ No newline at end of file +dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ +creterepo /nsm/repo \ No newline at end of file From c4a54704549063827ceac3efae37eb809a5f9d47 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 10:06:01 -0500 Subject: [PATCH 144/470] fix reposync --- salt/common/tools/sbin/so-repo-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 8ee9e0581..9ea697673 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -13,4 +13,4 @@ salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ -creterepo /nsm/repo \ No newline at end of file +createrepo /nsm/repo \ No newline at end of file From bc054a15d31eb0f1b440a1718b651d3fdfd4c80d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Feb 2023 10:15:47 -0500 Subject: [PATCH 145/470] add createrepo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d358e9429..da20019c1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -877,7 +877,7 @@ create_manager_pillars() { create_repo() { title "Create the repo directory" - logCmd "dnf -y install yum-utils" + logCmd "dnf -y install yum-utils createrepo" logCmd "createrepo /nsm/repo" } From b62cc32b1a4a80356f46621084cb0e0892967617 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 21 Feb 2023 11:52:37 -0500 Subject: [PATCH 146/470] Initial support for IDH --- salt/allowed_states.map.jinja | 1 - salt/common/tools/sbin/so-firewall-minion | 2 +- salt/common/tools/sbin/so-minion | 16 ++++- salt/docker/defaults.yaml | 2 + salt/firewall/assigned_hostgroups.map.yaml | 8 ++- salt/firewall/containers.map.jinja | 84 ++++++++++++++++++++++ salt/firewall/map.jinja | 7 ++ salt/idh/opencanary_config.map.jinja | 22 ++++-- salt/top.sls | 3 - salt/vars/idh.map.jinja | 1 + setup/so-functions | 29 ++++++++ setup/so-setup | 4 +- setup/so-whiptail | 52 ++++++++++++++ 13 files changed, 216 insertions(+), 15 deletions(-) create mode 100644 salt/vars/idh.map.jinja diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 42ec3604a..446892ba4 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -81,7 +81,6 @@ 'ssl', 'telegraf', 'firewall', - 'filebeat', 'idh', 'schedule', 'docker_clean' diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index acedcffeb..e796035f9 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -69,7 +69,7 @@ fi so-firewall --apply --role=heavynodes --ip="$IP" ;; 'IDH') - so-firewall --apply --role=beats_endpoint_ssl --ip="$IP" + so-firewall --apply --role=sensors --ip="$IP" ;; 'RECEIVER') so-firewall --apply --role=receivers --ip="$IP" diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index a51a31ed4..03f26c556 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -119,6 +119,18 @@ function add_elastic_to_minion() { " " >> $PILLARFILE } +# Add IDH Services info to the minion file +function add_idh_to_minion() { + printf '%s\n'\ + "idh:"\ + " restrict_management_ip: $IDH_MGTRESTRICT"\ + " services:" >> "$PILLARFILE" + IFS=',' read -ra IDH_SERVICES_ARRAY <<< "$IDH_SERVICES" + for service in ${IDH_SERVICES_ARRAY[@]}; do + echo " - $service" | tr '[:upper:]' '[:lower:]' | tr -d '"' >> "$PILLARFILE" + done +} + function add_logstash_to_minion() { # Create the logstash advanced pillar printf '%s\n'\ @@ -183,8 +195,8 @@ function createEVAL() { add_sensor_to_minion } -function createIDHNODE() { - echo "Nothing custom needed for IDH nodes" +function createIDH() { + add_idh_to_minion } function createIMPORT() { diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 6886703db..30b2c78e1 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -102,3 +102,5 @@ docker: final_octet: 44 port_bindings: - 0.0.0.0:8080:8080/tcp + 'so-idh': + final_octet: 45 diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 25dbba1b0..4253d9bc2 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -2,6 +2,7 @@ {% import_yaml 'firewall/ports/ports.yaml' as portgroups %} {% set portgroups = portgroups.firewall.ports %} {% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', True) %} +{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} role: eval: @@ -573,7 +574,7 @@ role: portgroups: {% set idh_services = salt['pillar.get']('idh:services', []) %} {% for service in idh_services %} - - {{ portgroups['idh_'~service] }} + - {{ IDH_PORTGROUPS['idh_'~service] }} {% endfor %} dockernet: portgroups: @@ -583,4 +584,7 @@ role: - {{ portgroups.all }} manager: portgroups: - - {{ portgroups.ssh }} + - {{ IDH_PORTGROUPS.openssh }} + standalone: + portgroups: + - {{ IDH_PORTGROUPS.openssh }} diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 702f2ff63..70a676e89 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -1,3 +1,31 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% if GLOBALS.role == 'so-eval' %} +{% set NODE_CONTAINERS = [ + 'so-curator', + 'so-dockerregistry', + 'so-elasticsearch', + 'so-elastic-fleet', + 'so-elastic-fleet-package-registry', + 'so-grafana', + 'so-influxdb', + 'so-kibana', + 'so-kratos', + 'so-mysql', + 'so-nginx', + 'so-redis', + 'so-soc', + 'so-soctopus', + 'so-strelka-coordinator', + 'so-strelka-gatekeeper', + 'so-strelka-frontend', + 'so-strelka-backend', + 'so-strelka-manager', + 'so-strelka-filestream' +] %} +{% endif %} + +{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %} {% set NODE_CONTAINERS = [ 'so-curator', 'so-dockerregistry', @@ -21,3 +49,59 @@ 'so-strelka-manager', 'so-strelka-filestream' ] %} +{% endif %} + +{% if GLOBALS.role == 'so-searchnode' %} +{% set NODE_CONTAINERS = [ + 'so-elasticsearch', + 'so-filebeat', + 'so-logstash', + 'so-nginx' +] %} +{% endif %} + +{% if GLOBALS.role == 'so-heavynode' %} +{% set NODE_CONTAINERS = [ + 'so-curator', + 'so-elasticsearch', + 'so-filebeat', + 'so-logstash', + 'so-nginx', + 'so-redis', + 'so-strelka-coordinator', + 'so-strelka-gatekeeper', + 'so-strelka-frontend', + 'so-strelka-backend', + 'so-strelka-manager', + 'so-strelka-filestream' +] %} +{% endif %} + +{% if GLOBALS.role == 'so-import' %} +{% set NODE_CONTAINERS = [ + 'so-dockerregistry', + 'so-elasticsearch', + 'so-elastic-fleet', + 'so-elastic-fleet-package-registry', + 'so-filebeat', + 'so-influxdb', + 'so-kibana', + 'so-kratos', + 'so-nginx', + 'so-soc' +] %} +{% endif %} + +{% if GLOBALS.role == 'so-receiver' %} +{% set NODE_CONTAINERS = [ + 'so-filebeat', + 'so-logstash', + 'so-redis', +] %} +{% endif %} + +{% if GLOBALS.role == 'so-idh' %} +{% set NODE_CONTAINERS = [ + 'so-idh', +] %} +{% endif %} diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index ea2d1b4e8..06586ddf2 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -1,3 +1,4 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} {% set role = grains.id.split('_') | last %} {% set translated_pillar_assigned_hostgroups = {} %} @@ -9,9 +10,15 @@ {% else %} {% set local_portgroups = {} %} {% endif %} + {% set portgroups = salt['defaults.merge'](default_portgroups, local_portgroups, in_place=False) %} {% set defined_portgroups = portgroups %} +{% if GLOBALS.role == 'so-idh' %} +{% from 'idh/opencanary_config.map.jinja' import IDH_PORTGROUPS %} +{% do salt['defaults.merge'](defined_portgroups, IDH_PORTGROUPS, in_place=True) %} +{% endif %} + {% set local_hostgroups = {'firewall': {'hostgroups': {}}} %} {% set hostgroup_list = salt['cp.list_master'](prefix='firewall/hostgroups') %} diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index c4533682d..cb601c163 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,11 +1,25 @@ {% set idh_services = salt['pillar.get']('idh:services', []) %} -{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %} +{% set IDH_PORTGROUPS = {} %} + +{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %} {% for service in idh_services %} {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %} - {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %} + {% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %} {% endfor %} -{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} -{% do OPENCANARYCONFIG.idh.opencanary.config.update({'device.node_id': grains.host}) %} +{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} +{% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} +{% for service in idh_services %} + {% if service in ["smnp","ntp", "tftp"] %} + {% set proto = 'udp' %} + {% else %} + {% set proto = 'tcp' %} + {% endif %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} +{% endfor %} + +{% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %} + +{% do OPENCANARYCONFIG.update({'device.node_id': grains.host}) %} diff --git a/salt/top.sls b/salt/top.sls index 3c4401478..529bdd2a4 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -368,9 +368,6 @@ base: - firewall - schedule - docker_clean - {%- if FILEBEAT %} - - filebeat - {%- endif %} - idh 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': diff --git a/salt/vars/idh.map.jinja b/salt/vars/idh.map.jinja new file mode 100644 index 000000000..396cefcc9 --- /dev/null +++ b/salt/vars/idh.map.jinja @@ -0,0 +1 @@ +{% set ROLE_GLOBALS = {} %} \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 34bbe0610..8139b60a1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -339,6 +339,33 @@ collect_hostname_validate() { done } +collect_idh_preferences() { + IDH_MGTRESTRICT='False' + whiptail_idh_preferences + + if [[ "$idh_preferences" != "" ]]; then IDH_MGTRESTRICT='True'; fi +} + +collect_idh_services() { + whiptail_idh_services + + case "$IDH_SERVICES" in + 'Linux Webserver (NAS Skin)') + IDH_SERVICES='"HTTP","FTP","SSH"' + ;; + 'MySQL Server') + IDH_SERVICES='"MYSQL","SSH"' + ;; + 'MSSQL Server') + IDH_SERVICES='"MSSQL","VNC' + ;; + 'Custom') + whiptail_idh_services_custom + IDH_SERVICES=$(echo "$IDH_SERVICES" | tr '[:blank:]' ',' ) + ;; + esac +} + collect_int_ip_mask() { whiptail_management_interface_ip_mask @@ -1875,6 +1902,8 @@ drop_install_options() { echo "LSHOSTNAME=$HOSTNAME" >> /opt/so/install.txt echo "LSHEAP=$LS_HEAP_SIZE" >> /opt/so/install.txt echo "CPUCORES=$num_cpu_cores" >> /opt/so/install.txt + echo "IDH_MGTRESTRICT=$IDH_MGTRESTRICT" >> /opt/so/install.txt + echo "IDH_SERVICES=$IDH_SERVICES" >> /opt/so/install.txt } remove_package() { diff --git a/setup/so-setup b/setup/so-setup index 9ecbed08c..a1b672918 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -453,6 +453,8 @@ if ! [[ -f $install_opt_file ]]; then collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection + collect_idh_services + collect_idh_preferences set_minion_info whiptail_end_settings @@ -538,8 +540,6 @@ if ! [[ -f $install_opt_file ]]; then export NODETYPE=$install_type export MINION_ID=$MINION_ID export ES_HEAP_SIZE=$ES_HEAP_SIZE - export IDHMGTRESTRICT=$IDHMGTRESTRICT - export idh_services=$idh_services export MNIC=$MNIC export NODE_DESCRIPTION=$NODE_DESCRIPTION export MAINIP=$MAINIP diff --git a/setup/so-whiptail b/setup/so-whiptail index 715baa375..6123ea97d 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -466,6 +466,58 @@ whiptail_gauge_post_setup() { fi } + whiptail_idh_preferences() { + + [ -n "$TESTING" ] && return + + idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ + "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ + "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + +whiptail_idh_services() { + + [ -n "$TESTING" ] && return + + IDH_SERVICES=$(whiptail --title "$whiptail_title" --radiolist \ + "\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ + "Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \ + "MySQL Server" "MySQL (3306), SSH (22)" OFF \ + "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \ + "Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + + +whiptail_idh_services_custom() { + + [ -n "$TESTING" ] && return + + IDH_SERVICES=$(whiptail --title "$whiptail_title" --checklist \ + "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports. Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \ + "FTP" " TCP/21, Additional Configuration Available " OFF \ + "Git" " TCP/9418 " OFF \ + "HTTP" " TCP/80, Additional Configuration Available " OFF \ + "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ + "MSSQL" " TCP/1433 " OFF \ + "MySQL" " TCP/3306, Additional Configuration Available " OFF \ + "NTP" " UDP/123 " OFF \ + "REDIS" " TCP/6379 " OFF \ + "SNMP" " UDP/161 " OFF \ + "SSH" " TCP/22, Additional Configuration Available " OFF \ + "TELNET" " TCP/23, Additional Configuration Available " OFF \ + "TFTP" " UDP/69 " OFF \ + "VNC" " TCP/5900 " OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_install_type() { [ -n "$TESTING" ] && return From a3bda9b3220c4cd22fb45bcf1c8b409c21b0c9a3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Feb 2023 13:48:03 -0500 Subject: [PATCH 147/470] podman changes to disable mgmt of iptables --- salt/firewall/assigned_hostgroups.map.yaml | 3 ++ salt/podman/files/sobridge.conflist | 48 ++++++++++++++++++++++ salt/podman/init.sls | 11 +++++ 3 files changed, 62 insertions(+) create mode 100644 salt/podman/files/sobridge.conflist diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 25dbba1b0..10ddae371 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -254,6 +254,9 @@ role: chain: DOCKER-USER: hostgroups: + localhost: + portgroups: + - {{ portgroups.all }} standalone: portgroups: - {{ portgroups.playbook }} diff --git a/salt/podman/files/sobridge.conflist b/salt/podman/files/sobridge.conflist new file mode 100644 index 000000000..45a7e2df9 --- /dev/null +++ b/salt/podman/files/sobridge.conflist @@ -0,0 +1,48 @@ +{ + "args": { + "podman_options": { + "isolate": "true", + "mtu": "1500" + } + }, + "cniVersion": "0.4.0", + "name": "sobridge", + "plugins": [ + { + "type": "bridge", + "bridge": "sobridge", + "isGateway": true, + "ipMasq": false, + "mtu": 1500, + "hairpinMode": false, + "ipam": { + "type": "host-local", + "routes": [ + { + "dst": "0.0.0.0/0" + } + ], + "ranges": [ + [ + { + "subnet": "172.17.1.0/24", + "gateway": "172.17.1.1" + } + ] + ] + }, + "capabilities": { + "ips": true + } + }, + { + "type": "portmap", + "capabilities": { + "portMappings": false + } + }, + { + "type": "tuning" + } + ] +} diff --git a/salt/podman/init.sls b/salt/podman/init.sls index 8fe1950da..d5efa0fdb 100644 --- a/salt/podman/init.sls +++ b/salt/podman/init.sls @@ -4,6 +4,10 @@ Podman pkg: pkg.installed: - name: podman +cnipkg: + pkg.installed: + - name: containernetworking-plugins + {# Podman service: file.managed: @@ -11,6 +15,11 @@ Podman service: - source: salt://podman/podman.service #} +sobridgeconf: + file.managed: + - name: /etc/cni/net.d/sobridge.conflist + - source: salt://podman/files/sobridge.conflist + Podman_socket_service: service.running: - name: podman.socket @@ -31,6 +40,7 @@ podman_docker_symlink: - name: /usr/bin/docker - target: /usr/bin/podman +{# sos_docker_net: docker_network.present: - name: sobridge @@ -43,3 +53,4 @@ sos_docker_net: com.docker.network.bridge.enable_icc: 'true' com.docker.network.bridge.host_binding_ipv4: '0.0.0.0' - unless: 'docker network ls | grep sobridge' +#} From de499ead0cec88b8f940bd5b4e2f9d9d65698065 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Feb 2023 15:11:14 -0500 Subject: [PATCH 148/470] update fw rules --- salt/firewall/iptables.jinja | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index ec2a5ae65..4d6ece25a 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -93,7 +93,6 @@ COMMIT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP --A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER @@ -106,7 +105,6 @@ COMMIT -A FORWARD -i lo -j ACCEPT -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited --A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP {%- for rule in D2 %} From f2b0d67d8ba7a8d69b7f32fc954b70cb2ab0ab32 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Feb 2023 15:20:49 -0500 Subject: [PATCH 149/470] update fw rules --- salt/firewall/iptables.jinja | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 4d6ece25a..142f41ce8 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -101,10 +101,6 @@ COMMIT -A FORWARD -o sobridge -j DOCKER -A FORWARD -i sobridge ! -o sobridge -j ACCEPT -A FORWARD -i sobridge -o sobridge -j ACCEPT --A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -i lo -j ACCEPT --A FORWARD -m conntrack --ctstate INVALID -j DROP --A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP {%- for rule in D2 %} From cc654fda9f286f4ca5cf0fd8a80579117f3759a4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Feb 2023 15:43:41 -0500 Subject: [PATCH 150/470] fw 2.4 update --- salt/firewall/iptables.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 142f41ce8..8aea5ed36 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -91,7 +91,6 @@ COMMIT {%- endfor %} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING From 8645cd0c3b4bdfa67fd25b107b0aac3c0d617596 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 08:57:00 -0500 Subject: [PATCH 151/470] add docker --- salt/docker/init.sls | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 37208650e..985838780 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -26,12 +26,10 @@ dockerheldpackages: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io: 1.4.4-3.1.el7 - - docker-ce: 3:20.10.5-3.el7 - - docker-ce-cli: 1:20.10.5-3.el7 - - docker-ce-rootless-extras: 20.10.5-3.el7 - - hold: True - - update_holds: True + - containerd.io + - docker-ce + - docker-ce-cli + - docker-ce-rootless-extras {% endif %} #disable docker from managing iptables From 7b6db5d95acbb239c90cdbe2cee5b1f85c87f640 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 09:08:39 -0500 Subject: [PATCH 152/470] add docker --- salt/docker/init.sls | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 985838780..f2a4c80a9 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -26,10 +26,12 @@ dockerheldpackages: dockerheldpackages: pkg.installed: - pkgs: - - containerd.io - - docker-ce - - docker-ce-cli - - docker-ce-rootless-extras + - containerd.io: 1.6.18-3.1.el9 + - docker-ce: 23.0.1-1.el9 + - docker-ce-cli: 23.0.1-1.el9 + - docker-ce-rootless-extras: 23.0.1-1.el9 + - hold: True + - update_holds: True {% endif %} #disable docker from managing iptables From 56ccf5c5044670447ef3a120dbf6b0911f1b1aa1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 09:13:16 -0500 Subject: [PATCH 153/470] remove podman --- salt/top.sls | 1 - setup/so-setup | 1 - 2 files changed, 2 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 1896d5fb3..272e6d8a9 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -21,7 +21,6 @@ base: '*': - cron.running - repo.client - - podman - ntp 'not G@saltversion:{{saltversion}}': diff --git a/setup/so-setup b/setup/so-setup index f9243dfa5..ce2f42f6e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -579,7 +579,6 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" - logCmd "salt-call state.apply podman" firewall_generate_templates set_initial_firewall_policy From 327855b0af6d691c04a659dbe184f9fc20a5478c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 09:28:51 -0500 Subject: [PATCH 154/470] add docker --- salt/common/tools/sbin/so-common | 2 +- salt/repo/client/files/rocky/keys/docker.pub | 28 ++++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 salt/repo/client/files/rocky/keys/docker.pub diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index d66a6cc6f..dc5ae2123 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -194,7 +194,7 @@ gpg_rpm_import() { local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys" fi - RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALTSTACK-GPG-KEY2.pub' 'securityonion.pub') + RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALTSTACK-GPG-KEY2.pub' 'docker.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY diff --git a/salt/repo/client/files/rocky/keys/docker.pub b/salt/repo/client/files/rocky/keys/docker.pub new file mode 100644 index 000000000..1967cbf01 --- /dev/null +++ b/salt/repo/client/files/rocky/keys/docker.pub @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit5IEBEADDt86QpYKz5flnCsOyZ/fk3WwBKxfDjwHf/GIflo+4GWAXS7wJ +1PSzPsvSDATV10J44i5WQzh99q+lZvFCVRFiNhRmlmcXG+rk1QmDh3fsCCj9Q/yP +w8jn3Hx0zDtz8PIB/18ReftYJzUo34COLiHn8WiY20uGCF2pjdPgfxE+K454c4G7 +gKFqVUFYgPug2CS0quaBB5b0rpFUdzTeI5RCStd27nHCpuSDCvRYAfdv+4Y1yiVh +KKdoe3Smj+RnXeVMgDxtH9FJibZ3DK7WnMN2yeob6VqXox+FvKYJCCLkbQgQmE50 +uVK0uN71A1mQDcTRKQ2q3fFGlMTqJbbzr3LwnCBE6hV0a36t+DABtZTmz5O69xdJ +WGdBeePCnWVqtDb/BdEYz7hPKskcZBarygCCe2Xi7sZieoFZuq6ltPoCsdfEdfbO ++VBVKJnExqNZCcFUTEnbH4CldWROOzMS8BGUlkGpa59Sl1t0QcmWlw1EbkeMQNrN +spdR8lobcdNS9bpAJQqSHRZh3cAM9mA3Yq/bssUS/P2quRXLjJ9mIv3dky9C3udM ++q2unvnbNpPtIUly76FJ3s8g8sHeOnmYcKqNGqHq2Q3kMdA2eIbI0MqfOIo2+Xk0 +rNt3ctq3g+cQiorcN3rdHPsTRSAcp+NCz1QF9TwXYtH1XV24A6QMO0+CZwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgcnBtKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrep4AhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEMUv62ti +Hp816C0P/iP+1uhSa6Qq3TIc5sIFE5JHxOO6y0R97cUdAmCbEqBiJHUPNQDQaaRG +VYBm0K013Q1gcJeUJvS32gthmIvhkstw7KTodwOM8Kl11CCqZ07NPFef1b2SaJ7l +TYpyUsT9+e343ph+O4C1oUQw6flaAJe+8ATCmI/4KxfhIjD2a/Q1voR5tUIxfexC +/LZTx05gyf2mAgEWlRm/cGTStNfqDN1uoKMlV+WFuB1j2oTUuO1/dr8mL+FgZAM3 +ntWFo9gQCllNV9ahYOON2gkoZoNuPUnHsf4Bj6BQJnIXbAhMk9H2sZzwUi9bgObZ +XO8+OrP4D4B9kCAKqqaQqA+O46LzO2vhN74lm/Fy6PumHuviqDBdN+HgtRPMUuao +xnuVJSvBu9sPdgT/pR1N9u/KnfAnnLtR6g+fx4mWz+ts/riB/KRHzXd+44jGKZra +IhTMfniguMJNsyEOO0AN8Tqcl0eRBxcOArcri7xu8HFvvl+e+ILymu4buusbYEVL +GBkYP5YMmScfKn+jnDVN4mWoN1Bq2yMhMGx6PA3hOvzPNsUoYy2BwDxNZyflzuAi +g59mgJm2NXtzNbSRJbMamKpQ69mzLWGdFNsRd4aH7PT7uPAURaf7B5BVp3UyjERW +5alSGnBqsZmvlRnVH5BDUhYsWZMPRQS9rRr4iGW0l+TH+O2VJ8aQ +=0Zqq +-----END PGP PUBLIC KEY BLOCK----- From 53b58d532af9d993ca31034aa631e8de715b7d97 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 09:35:37 -0500 Subject: [PATCH 155/470] apply docker state during setup --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index ce2f42f6e..9448a4011 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -579,6 +579,7 @@ if ! [[ -f $install_opt_file ]]; then logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common" + logCmd "salt-call state.apply docker" firewall_generate_templates set_initial_firewall_policy From d0bb7dc475d6c3c59d47c588219d61556069f702 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 10:04:43 -0500 Subject: [PATCH 156/470] repo for rocky --- .../rocky/keys/RPM-GPG-KEY-rockyofficial | 29 +++++++++ salt/repo/client/files/rocky/yum.conf.jinja | 17 +++++ salt/repo/client/rocky.sls | 62 +++++++++++++++++++ 3 files changed, 108 insertions(+) create mode 100644 salt/repo/client/files/rocky/keys/RPM-GPG-KEY-rockyofficial create mode 100644 salt/repo/client/files/rocky/yum.conf.jinja create mode 100644 salt/repo/client/rocky.sls diff --git a/salt/repo/client/files/rocky/keys/RPM-GPG-KEY-rockyofficial b/salt/repo/client/files/rocky/keys/RPM-GPG-KEY-rockyofficial new file mode 100644 index 000000000..28ce769ce --- /dev/null +++ b/salt/repo/client/files/rocky/keys/RPM-GPG-KEY-rockyofficial @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGAofzYBEAC6yS1azw6f3wmaVd//3aSy6O2c9+jeetulRQvg2LvhRRS1eNqp +/x9tbBhfohu/tlDkGpYHV7diePgMml9SZDy1sKlI3tDhx6GZ3xwF0fd1vWBZpmNk +D9gRkUmYBeLotmcXQZ8ZpWLicosFtDpJEYpLUhuIgTKwt4gxJrHvkWsGQiBkJxKD +u3/RlL4IYA3Ot9iuCBflc91EyAw1Yj0gKcDzbOqjvlGtS3ASXgxPqSfU0uLC9USF +uKDnP2tcnlKKGfj0u6VkqISliSuRAzjlKho9Meond+mMIFOTT6qp4xyu+9Dj3IjZ +IC6rBXRU3xi8z0qYptoFZ6hx70NV5u+0XUzDMXdjQ5S859RYJKijiwmfMC7gZQAf +OkdOcicNzen/TwD/slhiCDssHBNEe86Wwu5kmDoCri7GJlYOlWU42Xi0o1JkVltN +D8ZId+EBDIms7ugSwGOVSxyZs43q2IAfFYCRtyKHFlgHBRe9/KTWPUrnsfKxGJgC +Do3Yb63/IYTvfTJptVfhQtL1AhEAeF1I+buVoJRmBEyYKD9BdU4xQN39VrZKziO3 +hDIGng/eK6PaPhUdq6XqvmnsZ2h+KVbyoj4cTo2gKCB2XA7O2HLQsuGduHzYKNjf +QR9j0djjwTrsvGvzfEzchP19723vYf7GdcLvqtPqzpxSX2FNARpCGXBw9wARAQAB +tDNSZWxlYXNlIEVuZ2luZWVyaW5nIDxpbmZyYXN0cnVjdHVyZUByb2NreWxpbnV4 +Lm9yZz6JAk4EEwEIADgWIQRwUcRwqSn0VM6+N7cVr12sbXRaYAUCYCh/NgIbDwUL +CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAVr12sbXRaYLFmEACSMvoO1FDdyAbu +1m6xEzDhs7FgnZeQNzLZECv2j+ggFSJXezlNVOZ5I1I8umBan2ywfKQD8M+IjmrW +k9/7h9i54t8RS/RN7KNo7ECGnKXqXDPzBBTs1Gwo1WzltAoaDKUfXqQ4oJ4aCP/q +/XPVWEzgpJO1XEezvCq8VXisutyDiXEjjMIeBczxb1hbamQX+jLTIQ1MDJ4Zo1YP +zlUqrHW434XC2b1/WbSaylq8Wk9cksca5J+g3FqTlgiWozyy0uxygIRjb6iTzKXk +V7SYxeXp3hNTuoUgiFkjh5/0yKWCwx7aQqlHar9GjpxmBDAO0kzOlgtTw//EqTwR +KnYZLig9FW0PhwvZJUigr0cvs/XXTTb77z/i/dfHkrjVTTYenNyXogPtTtSyxqca +61fbPf0B/S3N43PW8URXBRS0sykpX4SxKu+PwKCqf+OJ7hMEVAapqzTt1q9T7zyB +QwvCVx8s7WWvXbs2d6ZUrArklgjHoHQcdxJKdhuRmD34AuXWCLW+gH8rJWZpuNl3 ++WsPZX4PvjKDgMw6YMcV7zhWX6c0SevKtzt7WP3XoKDuPhK1PMGJQqQ7spegGB+5 +DZvsJS48Ip0S45Qfmj82ibXaCBJHTNZE8Zs+rdTjQ9DS5qvzRA1sRA1dBb/7OLYE +JmeWf4VZyebm+gc50szsg6Ut2yT8hw== +=AiP8 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja new file mode 100644 index 000000000..bd31ac007 --- /dev/null +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -0,0 +1,17 @@ +{% set proxy = salt['pillar.get']('manager:proxy') -%} +[main] +cachedir=/var/cache/yum/$basearch/$releasever +keepcache=0 +debuglevel=2 +logfile=/var/log/yum.log +exactarch=1 +obsoletes=1 +gpgcheck=1 +plugins=1 +installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} +bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum +distroverpkg=centos-release +clean_requirements_on_remove=1 +{% if proxy -%} +proxy={{ proxy }} +{% endif %} diff --git a/salt/repo/client/rocky.sls b/salt/repo/client/rocky.sls new file mode 100644 index 000000000..9d522f849 --- /dev/null +++ b/salt/repo/client/rocky.sls @@ -0,0 +1,62 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +{% from 'repo/client/map.jinja' import ABSENTFILES with context %} +{% from 'repo/client/map.jinja' import REPOPATH with context %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% set role = grains.id.split('_') | last %} +{% set MANAGER = salt['grains.get']('master') %} +{% if grains['os'] == 'Rocky' %} + +{% if ABSENTFILES|length > 0%} + {% for file in ABSENTFILES %} +{{ file }}: + file.absent: + - name: {{ REPOPATH }}{{ file }} + - onchanges_in: + - cmd: cleanyum + {% endfor %} +{% endif %} + +cleanyum: + cmd.run: + - name: 'yum clean all' + - onchanges: + - so_repo + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://repo/client/files/rocky/yum.conf.jinja + - mode: 644 + - template: jinja + - show_changes: False + +repair_yumdb: + cmd.run: + - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' + - onlyif: + - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' + +crsynckeys: + file.recurse: + - name: /etc/pki/rpm-gpg + - source: salt://repo/client/files/rocky/keys/ + +so_repo: + pkgrepo.managed: + - name: securityonion + - humanname: Security Onion Repo + {% if GLOBALS.role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} + - baseurl: file:///nsm/repo/ + {% else %} + - baseurl: https://{{ GLOBALS.repo_host }}/repo + {% endif %} + - enabled: 1 + - gpgcheck: 1 + +{% endif %} + +# TODO: Add a pillar entry for custom repos From db3a46b6a10320830ece3d0a8eb924dcd8dab661 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 10:07:04 -0500 Subject: [PATCH 157/470] fix indent --- salt/repo/client/rocky.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/repo/client/rocky.sls b/salt/repo/client/rocky.sls index 9d522f849..79f56546d 100644 --- a/salt/repo/client/rocky.sls +++ b/salt/repo/client/rocky.sls @@ -52,7 +52,7 @@ so_repo: {% if GLOBALS.role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} - baseurl: file:///nsm/repo/ {% else %} - - baseurl: https://{{ GLOBALS.repo_host }}/repo + - baseurl: https://{{ GLOBALS.repo_host }}/repo {% endif %} - enabled: 1 - gpgcheck: 1 From c3784fe548eb53027b2c5d26a95133055372e4e8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 10:09:52 -0500 Subject: [PATCH 158/470] remove grafana --- salt/top.sls | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 272e6d8a9..eb42bfbbb 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -76,7 +76,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -121,7 +120,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -164,7 +162,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall @@ -229,7 +226,6 @@ base: - nginx - telegraf - influxdb - - grafana - soc - kratos - firewall From b8966aa33ad205452d1e9622e913fe5573f0559d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 10:24:51 -0500 Subject: [PATCH 159/470] fix role match --- salt/repo/client/rocky.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/repo/client/rocky.sls b/salt/repo/client/rocky.sls index 79f56546d..a99d3f422 100644 --- a/salt/repo/client/rocky.sls +++ b/salt/repo/client/rocky.sls @@ -49,7 +49,7 @@ so_repo: pkgrepo.managed: - name: securityonion - humanname: Security Onion Repo - {% if GLOBALS.role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} + {% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-import', 'so-manager', 'so-managersearch'] %} - baseurl: file:///nsm/repo/ {% else %} - baseurl: https://{{ GLOBALS.repo_host }}/repo From 6dd09fb2c5e75559e63e3c76cecf962cfd092cfd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 10:42:45 -0500 Subject: [PATCH 160/470] remove filebeat --- salt/allowed_states.map.jinja | 6 ------ .../tools/sbin/so-elastic-auth-password-reset | 2 -- salt/common/tools/sbin/so-elastic-clear | 17 ++--------------- salt/common/tools/sbin/so-elastic-restart | 4 ---- salt/common/tools/sbin/so-elastic-start | 4 ---- salt/common/tools/sbin/so-elastic-stop | 4 ---- salt/common/tools/sbin/so-restart | 4 ++-- salt/common/tools/sbin/so-start | 4 ++-- salt/common/tools/sbin/so-stop | 4 ++-- salt/curator/files/bin/so-curator-close | 5 ----- salt/curator/files/bin/so-curator-cluster-close | 5 ----- .../curator/files/bin/so-curator-cluster-delete | 5 ----- salt/curator/files/bin/so-curator-cluster-warm | 5 ----- salt/docker/defaults.yaml | 6 ------ salt/firewall/containers.map.jinja | 5 ----- setup/so-functions | 2 +- setup/so-variables | 8 +------- 17 files changed, 10 insertions(+), 80 deletions(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index cff5fdcdf..bc2a7c86b 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -8,7 +8,6 @@ {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} -{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} {% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} @@ -188,7 +187,6 @@ 'pcap', 'suricata', 'healthcheck', - 'filebeat', 'schedule', 'tcpreplay', 'docker_clean' @@ -204,10 +202,6 @@ ], }, grain='role') %} - {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} - {% do allowed_states.append('filebeat') %} - {% endif %} - {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} {% do allowed_states.append('mysql') %} {% endif %} diff --git a/salt/common/tools/sbin/so-elastic-auth-password-reset b/salt/common/tools/sbin/so-elastic-auth-password-reset index 17404e953..5bc5230c3 100755 --- a/salt/common/tools/sbin/so-elastic-auth-password-reset +++ b/salt/common/tools/sbin/so-elastic-auth-password-reset @@ -95,8 +95,6 @@ function soUserSync() { $(dirname $0)/so-user sync printf "\nApplying logstash state to the appropriate nodes.\n\n" salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply logstash queue=True - printf "\nApplying filebeat state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True printf "\nApplying kibana state to the appropriate nodes.\n\n" salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True printf "\nApplying curator state to the appropriate nodes.\n\n" diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index 08da4021c..fca676172 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -54,17 +54,10 @@ if [ $SKIP -ne 1 ]; then if [ "$INPUT" != "AGREE" ] ; then exit 0; fi fi -# Check to see if Logstash/Filebeat are running +# Check to see if Logstash are running LS_ENABLED=$(so-status | grep logstash) -FB_ENABLED=$(so-status | grep filebeat) EA_ENABLED=$(so-status | grep elastalert) -if [ ! -z "$FB_ENABLED" ]; then - - /usr/sbin/so-filebeat-stop - -fi - if [ ! -z "$LS_ENABLED" ]; then /usr/sbin/so-logstash-stop @@ -86,13 +79,7 @@ do curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 done -#Start Logstash/Filebeat -if [ ! -z "$FB_ENABLED" ]; then - - /usr/sbin/so-filebeat-start - -fi - +#Start Logstash if [ ! -z "$LS_ENABLED" ]; then /usr/sbin/so-logstash-start diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart index 4fb8ae10b..67988193f 100755 --- a/salt/common/tools/sbin/so-elastic-restart +++ b/salt/common/tools/sbin/so-elastic-restart @@ -22,10 +22,6 @@ /usr/sbin/so-restart logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} -/usr/sbin/so-restart filebeat $1 -{%- endif %} - {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-restart curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start index 04c076662..fd78d1859 100755 --- a/salt/common/tools/sbin/so-elastic-start +++ b/salt/common/tools/sbin/so-elastic-start @@ -22,10 +22,6 @@ /usr/sbin/so-start logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} -/usr/sbin/so-start filebeat $1 -{%- endif %} - {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-start curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop index 45e8fd18b..88350a8fe 100755 --- a/salt/common/tools/sbin/so-elastic-stop +++ b/salt/common/tools/sbin/so-elastic-stop @@ -22,10 +22,6 @@ /usr/sbin/so-stop logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} -/usr/sbin/so-stop filebeat $1 -{%- endif %} - {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-stop curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart index 3790625f7..dfedf290b 100755 --- a/salt/common/tools/sbin/so-restart +++ b/salt/common/tools/sbin/so-restart @@ -7,7 +7,7 @@ -# Usage: so-restart filebeat | kibana | playbook +# Usage: so-restart kibana | playbook . /usr/sbin/so-common @@ -27,5 +27,5 @@ if [ $# -ge 1 ]; then *) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;; esac else - echo -e "\nPlease provide an argument by running like so-restart $component, or by using the component-specific script.\nEx. so-restart filebeat, or so-filebeat-restart\n" + echo -e "\nPlease provide an argument by running like so-restart $component, or by using the component-specific script.\nEx. so-restart logstash, or so-logstash-restart\n" fi diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start index 6e208a6af..fbf3e4300 100755 --- a/salt/common/tools/sbin/so-start +++ b/salt/common/tools/sbin/so-start @@ -7,7 +7,7 @@ -# Usage: so-start all | filebeat | kibana | playbook +# Usage: so-start all | kibana | playbook . /usr/sbin/so-common @@ -27,5 +27,5 @@ if [ $# -ge 1 ]; then *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; esac else - echo -e "\nPlease provide an argument by running like so-start $component, or by using the component-specific script.\nEx. so-start filebeat, or so-filebeat-start\n" + echo -e "\nPlease provide an argument by running like so-start $component, or by using the component-specific script.\nEx. so-start logstash, or so-logstash-start\n" fi diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop index 3538b2fd3..32e24f83a 100755 --- a/salt/common/tools/sbin/so-stop +++ b/salt/common/tools/sbin/so-stop @@ -7,7 +7,7 @@ -# Usage: so-stop filebeat | kibana | playbook | thehive +# Usage: so-stop kibana | playbook | thehive . /usr/sbin/so-common @@ -20,6 +20,6 @@ if [ $# -ge 1 ]; then *) docker stop so-$1 ; docker rm so-$1 ;; esac else - echo -e "\nPlease provide an argument by running like so-stop $component, or by using the component-specific script.\nEx. so-stop filebeat, or so-filebeat-stop\n" + echo -e "\nPlease provide an argument by running like so-stop $component, or by using the component-specific script.\nEx. so-stop logstash, or so-logstash-stop\n" fi diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 4d6fbe602..885cb4502 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -13,8 +13,6 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} - /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; @@ -27,6 +25,3 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in MODULESMERGED.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} -{% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 95d882619..0929149ed 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -13,8 +13,6 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} - docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; @@ -25,6 +23,3 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; -{% for INDEX in MODULESMERGED.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-close.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} -{% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index 9ec5129af..2d71f725d 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -13,8 +13,6 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} - docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-delete.yml > /dev/null 2>&1; @@ -25,6 +23,3 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; -{% for INDEX in MODULESMERGED.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-delete.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} -{% endfor -%} diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 7de6dd391..f868caf0d 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -14,8 +14,6 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -{% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} - docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; @@ -26,6 +24,3 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1; -{% for INDEX in MODULESMERGED.modules.keys() -%} -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-{{ INDEX }}-warm.yml > /dev/null 2>&1{% if not loop.last %};{% endif %} -{% endfor -%} diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 30b2c78e1..8ccb7cf2d 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -17,12 +17,6 @@ docker: port_bindings: - 0.0.0.0:9200:9200/tcp - 0.0.0.0:9300:9300/tcp - 'so-filebeat': - final_octet: 23 - port_bindings: - - 0.0.0.0:514:514/udp - - 0.0.0.0:514:514/tcp - - 0.0.0.0:5066:5066/tcp 'so-idstools': final_octet: 25 'so-influxdb': diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index 70a676e89..f1e93ddea 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -32,7 +32,6 @@ 'so-elasticsearch', 'so-elastic-fleet', 'so-elastic-fleet-package-registry', - 'so-filebeat', 'so-influxdb', 'so-kibana', 'so-kratos', @@ -54,7 +53,6 @@ {% if GLOBALS.role == 'so-searchnode' %} {% set NODE_CONTAINERS = [ 'so-elasticsearch', - 'so-filebeat', 'so-logstash', 'so-nginx' ] %} @@ -64,7 +62,6 @@ {% set NODE_CONTAINERS = [ 'so-curator', 'so-elasticsearch', - 'so-filebeat', 'so-logstash', 'so-nginx', 'so-redis', @@ -83,7 +80,6 @@ 'so-elasticsearch', 'so-elastic-fleet', 'so-elastic-fleet-package-registry', - 'so-filebeat', 'so-influxdb', 'so-kibana', 'so-kratos', @@ -94,7 +90,6 @@ {% if GLOBALS.role == 'so-receiver' %} {% set NODE_CONTAINERS = [ - 'so-filebeat', 'so-logstash', 'so-redis', ] %} diff --git a/setup/so-functions b/setup/so-functions index 78b87a113..64248c30f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1544,7 +1544,7 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni curator soc soctopus docker zeek suricata nginx telegraf filebeat logstash soc manager kratos idstools idh elastalert;do + for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni curator soc soctopus docker zeek suricata nginx telegraf logstash soc manager kratos idstools idh elastalert;do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls diff --git a/setup/so-variables b/setup/so-variables index 0caf10ee7..6a3861e92 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -136,12 +136,6 @@ export suricata_pillar_file adv_suricata_pillar_file="$local_salt_dir/pillar/suricata/adv_suricata.sls" export adv_suricata_pillar_file -filebeat_pillar_file="$local_salt_dir/pillar/filebeat/soc_filebeat.sls" -export filebeat_pillar_file - -adv_filebeat_pillar_file="$local_salt_dir/pillar/filebeat/adv_filebeat.sls" -export adv_filebeat_pillar_file - logstash_pillar_file="$local_salt_dir/pillar/logstash/soc_logstash.sls" export logstash_pillar_file @@ -200,4 +194,4 @@ influxdb_pillar_file="$local_salt_dir/pillar/influxdb/soc_influxdb.sls" export influxdb_pillar_file adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls" -export adv_influxdb_pillar_file \ No newline at end of file +export adv_influxdb_pillar_file From 7c64dad95bdabfe3be1287a0fc14c12342c1087a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 11:28:46 -0500 Subject: [PATCH 161/470] add mysql --- salt/mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 7287eb00d..7f8c9f347 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -21,7 +21,7 @@ mysqlpkgs: - python3-mysqldb {% endif %} {% else %} - - MySQL-python + - python3-mysqlclient {% endif %} mysqletcdir: From 3deb6197379cf72e0526fb0505193b4ecbcc6a78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 12:58:39 -0500 Subject: [PATCH 162/470] add watchdog --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index d91e1b714..e5e75c47a 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -51,4 +51,5 @@ commonpkgs: - python3-m2crypto - rsync - python3-rich + - python3-watchdog {% endif %} From c20a7e6cf949a122eb87f6e3c9cbd589415ea74e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 13:48:40 -0500 Subject: [PATCH 163/470] fix yaml --- salt/strelka/filecheck/filecheck | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/filecheck/filecheck b/salt/strelka/filecheck/filecheck index ea7186793..758248083 100644 --- a/salt/strelka/filecheck/filecheck +++ b/salt/strelka/filecheck/filecheck @@ -15,7 +15,7 @@ from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler with open("/opt/so/conf/strelka/filecheck.yaml", "r") as ymlfile: - cfg = yaml.load(ymlfile) + cfg = yaml.load(ymlfile, Loader=yaml.Loader) extract_path = cfg["filecheck"]["extract_path"] historypath = cfg["filecheck"]["historypath"] From c6a46d1eb34e7fe52f192dd9e425ae0e17d3e4e8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:14:27 -0500 Subject: [PATCH 164/470] change playbook to use hostname --- salt/mysql/init.sls | 2 +- salt/playbook/init.sls | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 7f8c9f347..d6a910f32 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -105,7 +105,7 @@ so-mysql: - file: mysqlcnf - file: mysqlpass cmd.run: - - name: until nc -z {{ GLOBALS.manager_ip }} 3306; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager }} 3306; do sleep 1; done - timeout: 600 - onchanges: - docker_container: so-mysql diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 1b75935f1..5e3285914 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -19,7 +19,7 @@ create_playbookdbuser: - name: playbookdbuser - password: {{ PLAYBOOKPASS }} - host: "{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0" - - connection_host: {{ GLOBALS.manager_ip }} + - connection_host: {{ GLOBALS.manager }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -28,7 +28,7 @@ query_playbookdbuser_grants: mysql_query.run: - database: playbook - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DOCKER.sorange.split('/')[0] }}/255.255.255.0';" - - connection_host: {{ GLOBALS.manager_ip }} + - connection_host: {{ GLOBALS.manager }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -36,7 +36,7 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{ GLOBALS.manager_ip }}:7000/playbook/webhook' where project_id = 1" + - query: "update webhooks set url = 'http://{{ GLOBALS.manager}}:7000/playbook/webhook' where project_id = 1" - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root @@ -49,10 +49,10 @@ query_updatepluginurls: update settings set value = "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess project: '1' - convert_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/sigmac - create_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/play" + convert_url: http://{{ GLOBALS.manager }}:7000/playbook/sigmac + create_url: http://{{ GLOBALS.manager }}:7000/playbook/play" where id = 43 - - connection_host: {{ GLOBALS.manager_ip }} + - connection_host: {{ GLOBALS.manager }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -85,8 +85,10 @@ so-playbook: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - environment: - - REDMINE_DB_MYSQL={{ GLOBALS.manager_ip }} + - REDMINE_DB_MYSQL={{ GLOBALS.manager }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} From 59c700ad1012ce934534c9ea2346c7b164415bdc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:15:10 -0500 Subject: [PATCH 165/470] change playbook to use hostname --- salt/playbook/automation_user_create.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/playbook/automation_user_create.sls b/salt/playbook/automation_user_create.sls index 61662677f..dd4620c95 100644 --- a/salt/playbook/automation_user_create.sls +++ b/salt/playbook/automation_user_create.sls @@ -7,7 +7,7 @@ include: wait_for_playbook: cmd.run: - - name: until nc -z {{ GLOBALS.manager_ip }} 3200; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager }} 3200; do sleep 1; done - timeout: 300 create_user: From 68708accde95c73e4319b134a38f9f28cbdf2d9a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:32:49 -0500 Subject: [PATCH 166/470] change playbook to use hostname --- salt/mysql/init.sls | 2 ++ salt/playbook/init.sls | 4 ++-- salt/vars/globals.map.jinja | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index d6a910f32..e6107c494 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -91,6 +91,8 @@ so-mysql: {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} - {{ BINDING }} {% endfor %} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.sobip }} - environment: - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} - MYSQL_ROOT_PASSWORD=/etc/mypass diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 5e3285914..5fe9ab92f 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -36,8 +36,8 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{ GLOBALS.manager}}:7000/playbook/webhook' where project_id = 1" - - connection_host: {{ GLOBALS.manager_ip }} + - query: "update webhooks set url = 'http://{{ GLOBALS.manager_ip}}:7000/playbook/webhook' where project_id = 1" + - connection_host: {{ GLOBALS.manager }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index b2f5af552..52951c7d6 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -21,6 +21,7 @@ 'md_engine': INIT.PILLAR.global.mdengine, 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, + 'so_bip': INIT.PILLAR.docker.sobip, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), 'description': INIT.PILLAR.sensoroni.get('node_description',''), From bf8e6c64d633af38be456a54b7319fa0f14e6f2c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 14:41:14 -0500 Subject: [PATCH 167/470] add sobip to global vars --- salt/mysql/init.sls | 2 +- salt/vars/globals.map.jinja | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index e6107c494..378b72a24 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -92,7 +92,7 @@ so-mysql: - {{ BINDING }} {% endfor %} - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.sobip }} + - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - environment: - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} - MYSQL_ROOT_PASSWORD=/etc/mypass diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 52951c7d6..6460e8957 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -1,4 +1,5 @@ {% import 'vars/init.map.jinja' as INIT %} +{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} @@ -21,7 +22,8 @@ 'md_engine': INIT.PILLAR.global.mdengine, 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, - 'so_bip': INIT.PILLAR.docker.sobip, + 'so_docker_bip': DOCKER.sobip, + 'so_docker_range': DOCKER.sorange, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.get('sosmodel',''), 'description': INIT.PILLAR.sensoroni.get('node_description',''), From 1c1e613351eafd2ef66eb85a170c91aaa0db9945 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:48:55 -0500 Subject: [PATCH 168/470] change playbook to use hostname --- salt/mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 378b72a24..30e39aa86 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -94,7 +94,7 @@ so-mysql: - extra_hosts: - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - environment: - - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} + - MYSQL_ROOT_HOST={{ GLOBALS.manager }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro From 417fff924d04c7371d164c71a25d944899169c41 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:53:02 -0500 Subject: [PATCH 169/470] change playbook to use hostname --- salt/mysql/init.sls | 6 ++---- salt/playbook/init.sls | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 30e39aa86..ba78476dc 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -91,10 +91,8 @@ so-mysql: {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} - {{ BINDING }} {% endfor %} - - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - environment: - - MYSQL_ROOT_HOST={{ GLOBALS.manager }} + - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro @@ -107,7 +105,7 @@ so-mysql: - file: mysqlcnf - file: mysqlpass cmd.run: - - name: until nc -z {{ GLOBALS.manager }} 3306; do sleep 1; done + - name: until nc -z {{ GLOBALS.so_docker_bip }} 3306; do sleep 1; done - timeout: 600 - onchanges: - docker_container: so-mysql diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 5fe9ab92f..f2a9d4614 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -86,7 +86,7 @@ so-playbook: - binds: - /opt/so/log/playbook:/playbook/log:rw - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - environment: - REDMINE_DB_MYSQL={{ GLOBALS.manager }} - REDMINE_DB_DATABASE=playbook From 6e59cc3409c4747fe01e0e0a0b6a501c0f0702fa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 14:56:53 -0500 Subject: [PATCH 170/470] change playbook to use hostname --- salt/playbook/init.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index f2a9d4614..c36bef933 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -85,8 +85,6 @@ so-playbook: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw - - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - environment: - REDMINE_DB_MYSQL={{ GLOBALS.manager }} - REDMINE_DB_DATABASE=playbook From 45434b06a446d1d03d85ad2ae6626b785675be92 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 15:08:56 -0500 Subject: [PATCH 171/470] change playbook to use hostname --- salt/playbook/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index c36bef933..7a644811c 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -86,7 +86,7 @@ so-playbook: - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: - - REDMINE_DB_MYSQL={{ GLOBALS.manager }} + - REDMINE_DB_MYSQL={{ GLOBALS.manager_ip }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} From 5bc1dc9567a8f45b9282c76cf3c5d1d9377ff874 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 15:19:27 -0500 Subject: [PATCH 172/470] change playbook to use hostname --- salt/playbook/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 7a644811c..8afd3d70b 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -86,7 +86,7 @@ so-playbook: - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: - - REDMINE_DB_MYSQL={{ GLOBALS.manager_ip }} + - REDMINE_DB_MYSQL={{ DOCKER.containers['so-mysql'].ip }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} From 0d0a61bd4a56a60cb4c63a6f80c16dcc2f7e125e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Feb 2023 15:29:30 -0500 Subject: [PATCH 173/470] remove so-grafana from node containers --- salt/firewall/containers.map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index f1e93ddea..bd4cf72f1 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -7,7 +7,6 @@ 'so-elasticsearch', 'so-elastic-fleet', 'so-elastic-fleet-package-registry', - 'so-grafana', 'so-influxdb', 'so-kibana', 'so-kratos', From ecf70847fdf58c84540ff0a748829bb0058a28bf Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 22 Feb 2023 16:23:48 -0500 Subject: [PATCH 174/470] Change 'GLOBALS.minion_id' to 'GLOBALS.hostname' for 'analyzerNodeId' value to ensure SOC creates analyzer jobs in the correct directory --- salt/soc/defaults.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 17253b7fb..742d3d0dc 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -27,6 +27,6 @@ {% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.sorange, 'apiKey': pillar.sensoroni.sensoronikey}) %} -{% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.minion_id}) %} +{% do SOCDEFAULTS.soc.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% set SOCDEFAULTS = SOCDEFAULTS.soc %} From 8e834079745cbaada5c16bc03087a4cd90541e92 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Feb 2023 16:24:35 -0500 Subject: [PATCH 175/470] change playbook to use hostname --- salt/firewall/iptables.jinja | 7 +++++++ salt/kibana/config.map.jinja | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 8aea5ed36..ec2a5ae65 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -91,7 +91,9 @@ COMMIT {%- endfor %} -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER @@ -100,6 +102,11 @@ COMMIT -A FORWARD -o sobridge -j DOCKER -A FORWARD -i sobridge ! -o sobridge -j ACCEPT -A FORWARD -i sobridge -o sobridge -j ACCEPT +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i lo -j ACCEPT +-A FORWARD -m conntrack --ctstate INVALID -j DROP +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP {%- for rule in D2 %} diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index 9e75f1726..9b460e86f 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -3,7 +3,7 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} {% do KIBANACONFIG.kibana.config.server.update({'publicBaseUrl': 'https://' ~ GLOBALS.url_base ~ '/kibana'}) %} -{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager_ip ~ ':9200']}) %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'hosts': ['https://' ~ GLOBALS.manager ~ ':9200']}) %} {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} From 0ec0983d7bfd7318d2325cc482f5f38721f3a3e0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 08:57:30 -0500 Subject: [PATCH 176/470] Chane Elastalert to use hosntame --- salt/elastalert/elastalert_config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja index 15f9c8530..26ddc08c9 100644 --- a/salt/elastalert/elastalert_config.map.jinja +++ b/salt/elastalert/elastalert_config.map.jinja @@ -3,7 +3,7 @@ {% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} -{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager_ip}) %} +{% do ELASTALERT.elastalert.config.update({'es_host': GLOBALS.manager}) %} {% do ELASTALERT.elastalert.config.update({'es_username': pillar.elasticsearch.auth.users.so_elastic_user.user}) %} {% do ELASTALERT.elastalert.config.update({'es_password': pillar.elasticsearch.auth.users.so_elastic_user.pass}) %} From 7b30064d869517a287067653e03e2791da7f2abc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 09:10:20 -0500 Subject: [PATCH 177/470] Chane Elastalert to use hosntame --- salt/kibana/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 19682e105..676b26d5a 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -89,6 +89,8 @@ so-kibana: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw From 4db404b6f54ee57dcc82162a5151074f162a94a6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 23 Feb 2023 09:21:19 -0500 Subject: [PATCH 178/470] remove jinja from kibana defaults --- salt/kibana/defaults.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 159465508..64a5646e5 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -5,7 +5,6 @@ kibana: name: kibana host: "0.0.0.0" basePath: /kibana - publicBaseUrl: https://{{salt['pillar.get']('global:url_base')}}/kibana rewriteBasePath: false elasticsearch: ssl: From 6927e28def10d426f4197ba46360ab027bb49627 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 09:25:16 -0500 Subject: [PATCH 179/470] Change kibana IP --- salt/kibana/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 676b26d5a..bb5a52048 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -90,7 +90,7 @@ so-kibana: - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.so_docker_bip }} + - {{ GLOBALS.manager }}:{{ DOCKER.containers['so-elasticsearch'].ip }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw From dc2fed5b047c2256ce6bbda9c69d60e071956ab1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 09:34:16 -0500 Subject: [PATCH 180/470] Change elastalert ip --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 37d749223..b57b5c17a 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -97,7 +97,7 @@ so-elastalert: - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - extra_hosts: - - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} + - {{GLOBALS.url_base}}:{{ DOCKER.containers['so-elasticsearch'].ip }} - require: - cmd: wait_for_elasticsearch - file: elastarules From 95f254dc6388fd4f44996a35eb793ee6c19902e3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 09:37:20 -0500 Subject: [PATCH 181/470] Change elastalert ip --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index b57b5c17a..607193e1c 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -97,7 +97,7 @@ so-elastalert: - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - extra_hosts: - - {{GLOBALS.url_base}}:{{ DOCKER.containers['so-elasticsearch'].ip }} + - {{ GLOBALS.manager }}:{{ DOCKER.containers['so-elasticsearch'].ip }} - require: - cmd: wait_for_elasticsearch - file: elastarules From 3fed04a5322e0c536d35da8ea09d2d39e77e980d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 09:52:24 -0500 Subject: [PATCH 182/470] fix nginx config --- salt/nginx/etc/nginx.conf | 34 ++++++++++------------------------ 1 file changed, 10 insertions(+), 24 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 1dc73d030..54d0a466c 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,6 +1,6 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'docker/docker.map.jinja' import DOCKER %} {%- set role = grains.id.split('_') | last %} - {%- set influxpass = salt['pillar.get']('secrets:influx_pass') %} {%- set influxauth = ('so:' + influxpass) | base64_encode %} @@ -98,7 +98,7 @@ http { ssl_protocols TLSv1.2; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ GLOBALS.manager_ip }}:9822; + proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; @@ -115,7 +115,7 @@ http { auth_request /auth/sessions/whoami; auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id; proxy_set_header x-user-id $userid; - proxy_pass http://{{ GLOBALS.manager_ip }}:9822/; + proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -129,7 +129,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ GLOBALS.manager_ip }}:4433; + proxy_pass http://{{ DOCKER.containers['so-kratos'].ip }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -186,7 +186,7 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; rewrite /influxdb/api/(.*) /api/$1 break; - proxy_pass https://{{ GLOBALS.manager_ip }}:8086/; + proxy_pass https://{{ DOCKER.containers['so-influxdb'].ip }}:8086/; proxy_read_timeout 300; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -200,7 +200,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ GLOBALS.manager_ip }}:5601/; + proxy_pass http://{{ DOCKER.containers['so-kibana'].ip }}:5601/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -209,24 +209,10 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } - - location /nodered/ { - auth_request /auth/sessions/whoami; - proxy_pass http://{{ GLOBALS.manager_ip }}:1880/; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } - + location /playbook/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ GLOBALS.manager_ip }}:3200/playbook/; + proxy_pass http://{{ DOCKER.containers['so-playbook'].ip }}:3000/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -239,7 +225,7 @@ http { location /soctopus/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ GLOBALS.manager_ip }}:7000/; + proxy_pass http://{{ DOCKER.containers['so-soctopus'].ip }}:7000/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -261,7 +247,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ GLOBALS.manager_ip }}:9822/; + proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; From 7f2d2630467d2850d0572c270c2196e1548fcbfa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 10:16:34 -0500 Subject: [PATCH 183/470] fix nginx config --- salt/vars/globals.map.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 6460e8957..578432799 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -50,9 +50,9 @@ {% do GLOBALS.update({ 'application_urls': { - 'kratos': 'http://' ~ GLOBALS.manager_ip ~ ':4434/', - 'elastic': 'https://' ~ GLOBALS.manager_ip ~ ':9200/', - 'influxdb': 'https://' ~ GLOBALS.manager_ip ~ ':8086/' + 'kratos': 'http://' ~ GLOBALS.manager ~ ':4434/', + 'elastic': 'https://' ~ GLOBALS.manager ~ ':9200/', + 'influxdb': 'https://' ~ GLOBALS.manager ~ ':8086/' } }) %} From 96b1fb4782bee9ee67f9ac7fc81c2839cd33bb5c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 23 Feb 2023 10:51:03 -0500 Subject: [PATCH 184/470] change to eval --- salt/firewall/assigned_hostgroups.map.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index c018559fe..0f748e6d6 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -9,7 +9,7 @@ role: chain: DOCKER-USER: hostgroups: - manager: + eval: portgroups: - {{ portgroups.playbook }} - {{ portgroups.mysql }} From 399e4de73c62e743f56ca5269d8de7305121b2aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 23 Feb 2023 11:04:23 -0500 Subject: [PATCH 185/470] stop and disable firewalld --- salt/firewall/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index de22703f3..12aaed39e 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,6 +1,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +disable_firewalld: + service.dead: + - name: firewalld + - enable: False + create_sysconfig_iptables: file.touch: - name: /etc/sysconfig/iptables From 148b0b1c4c2358559628e1962953b526fe043133 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 11:11:29 -0500 Subject: [PATCH 186/470] use hostnames please --- salt/elastalert/init.sls | 2 +- salt/elastic-fleet/init.sls | 6 +++++- salt/nginx/etc/nginx.conf | 16 ++++++++-------- salt/soc/init.sls | 1 - 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 607193e1c..b04fe1147 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -97,7 +97,7 @@ so-elastalert: - /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro - /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro - extra_hosts: - - {{ GLOBALS.manager }}:{{ DOCKER.containers['so-elasticsearch'].ip }} + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - require: - cmd: wait_for_elasticsearch - file: elastarules diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index be9bac96e..4218eca67 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -52,7 +52,11 @@ so-elastic-fleet: - sobridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: + {% if GLOBALS.is_manager %} + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + {% else %} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + {% endif %} - port_bindings: {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} - {{ BINDING }} @@ -63,7 +67,7 @@ so-elastic-fleet: - environment: - FLEET_SERVER_ENABLE=true - FLEET_URL=https://{{ FLEETURL }}:8220 - - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200 + - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 54d0a466c..e6a7f3c87 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -98,7 +98,7 @@ http { ssl_protocols TLSv1.2; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { - proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822; + proxy_pass http://{{ GLOBALS.manager }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; @@ -115,7 +115,7 @@ http { auth_request /auth/sessions/whoami; auth_request_set $userid $upstream_http_x_kratos_authenticated_identity_id; proxy_set_header x-user-id $userid; - proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822/; + proxy_pass http://{{ GLOBALS.manager }}:9822/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -129,7 +129,7 @@ http { location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; - proxy_pass http://{{ DOCKER.containers['so-kratos'].ip }}:4433; + proxy_pass http://{{ GLOBALS.manager }}:4433; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -186,7 +186,7 @@ http { location /influxdb/ { auth_request /auth/sessions/whoami; rewrite /influxdb/api/(.*) /api/$1 break; - proxy_pass https://{{ DOCKER.containers['so-influxdb'].ip }}:8086/; + proxy_pass https://{{ GLOBALS.manager }}:8086/; proxy_read_timeout 300; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -200,7 +200,7 @@ http { location /kibana/ { auth_request /auth/sessions/whoami; rewrite /kibana/(.*) /$1 break; - proxy_pass http://{{ DOCKER.containers['so-kibana'].ip }}:5601/; + proxy_pass http://{{ GLOBALS.manager }}:5601/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -212,7 +212,7 @@ http { location /playbook/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ DOCKER.containers['so-playbook'].ip }}:3000/playbook/; + proxy_pass http://{{ GLOBALS.manager }}:3000/playbook/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header Host $host; @@ -225,7 +225,7 @@ http { location /soctopus/ { auth_request /auth/sessions/whoami; - proxy_pass http://{{ DOCKER.containers['so-soctopus'].ip }}:7000/; + proxy_pass http://{{ GLOBALS.manager }}:7000/; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_set_header Host $host; @@ -247,7 +247,7 @@ http { if ($http_authorization = "") { return 403; } - proxy_pass http://{{ DOCKER.containers['so-soc'].ip }}:9822/; + proxy_pass http://{{ GLOBALS.manager }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; proxy_set_header x-user-id ""; diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 502b47136..9905a104a 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -111,7 +111,6 @@ so-soc: - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw - /opt/so/saltstack:/opt/so/saltstack:rw - extra_hosts: - - {{GLOBALS.influxdb_host}}:{{pillar.node_data[GLOBALS.influxdb_host].ip}} {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - {{ SN.split('_')|first }}:{{ SNDATA.ip }} From 4896452245a90f56edce055f8c543e5952d1d28d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 11:13:54 -0500 Subject: [PATCH 187/470] use hostnames please --- salt/kibana/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index bb5a52048..a974dcf48 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -90,7 +90,7 @@ so-kibana: - ELASTICSEARCH_PORT=9200 - MANAGER={{ GLOBALS.manager }} - extra_hosts: - - {{ GLOBALS.manager }}:{{ DOCKER.containers['so-elasticsearch'].ip }} + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw From 2ebd9b359884f4c0df9e0c6878fd313fb69f1105 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 11:19:13 -0500 Subject: [PATCH 188/470] use hostnames please --- salt/nginx/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index d6839814f..e3a13c2f2 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -88,6 +88,8 @@ so-nginx: - networks: - sobridge: - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - /opt/so/log/nginx/:/var/log/nginx:rw From 265447801ef8b09cd37bb758e07ded7ef59cba1a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Feb 2023 12:08:43 -0500 Subject: [PATCH 189/470] allow the rpm gpg key filename --- .github/.gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml index 3ac46149b..024b8ce51 100644 --- a/.github/.gitleaks.toml +++ b/.github/.gitleaks.toml @@ -536,7 +536,7 @@ secretGroup = 4 [allowlist] description = "global allow lists" -regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}'''] +regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*'''] paths = [ '''gitleaks.toml''', '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''', From 7067f9cd9c7bfa7202aa2aa99660350e902a4976 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 23 Feb 2023 12:09:55 -0500 Subject: [PATCH 190/470] allow the rpm gpg key filename --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7f2e97617..197c4d5c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-kilo +2.4.0 From 8f46e4aa30a9925de08edf9017609d272db0872d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 23 Feb 2023 12:26:48 -0500 Subject: [PATCH 191/470] set docker extra_hosts for soc --- salt/soc/init.sls | 8 ++------ salt/soc/merged.map.jinja | 4 ++++ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 9905a104a..e2ec511ed 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -3,6 +3,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER %} +{% from 'soc/merged.map.jinja' import DOCKER_EXTRA_HOSTS %} include: - manager.sync_es_users @@ -110,12 +111,7 @@ so-soc: - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/salt:/opt/sensoroni/salt:rw - /opt/so/saltstack:/opt/so/saltstack:rw - - extra_hosts: - {%- if salt['pillar.get']('nodestab', {}) %} - {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - - {{ SN.split('_')|first }}:{{ SNDATA.ip }} - {%- endfor %} - {%- endif %} + - extra_hosts: {{ DOCKER_EXTRA_HOSTS }} - port_bindings: {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} - {{ BINDING }} diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 4ae7ce38e..97d228ebd 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -1,5 +1,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} +{% from 'logstash/map.jinja' import LOGSTASH_NODES %} +{% set DOCKER_EXTRA_HOSTS = LOGSTASH_NODES %} +{% do DOCKER_EXTRA_HOSTS.append({GLOBALS.influxdb_host:pillar.node_data[GLOBALS.influxdb_host].ip}) %} + {% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %} {# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} From b206b23fe150aef6d6ad3d7c035f2fef2966d01a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 16:09:54 -0500 Subject: [PATCH 192/470] unfix playbook fix --- salt/playbook/init.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 8afd3d70b..5fe9ab92f 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -85,8 +85,10 @@ so-playbook: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - environment: - - REDMINE_DB_MYSQL={{ DOCKER.containers['so-mysql'].ip }} + - REDMINE_DB_MYSQL={{ GLOBALS.manager }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} From bf512d56ec3f4942e37d7fd8942e93629da659b8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 16:12:57 -0500 Subject: [PATCH 193/470] unfix playbook fix --- salt/mysql/init.sls | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index ba78476dc..360e3d799 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -87,12 +87,14 @@ so-mysql: - networks: - sobridge: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} - {{ BINDING }} {% endfor %} - environment: - - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }} + - MYSQL_ROOT_HOST={{ GLOBALS.manager }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro @@ -105,7 +107,7 @@ so-mysql: - file: mysqlcnf - file: mysqlpass cmd.run: - - name: until nc -z {{ GLOBALS.so_docker_bip }} 3306; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager }} 3306; do sleep 1; done - timeout: 600 - onchanges: - docker_container: so-mysql From cd56d3a799a5748c8f3068a53b3da8aa890b0ec1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Feb 2023 16:18:22 -0500 Subject: [PATCH 194/470] unfix playbook fix --- salt/mysql/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 360e3d799..c077695b8 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -94,7 +94,7 @@ so-mysql: - {{ BINDING }} {% endfor %} - environment: - - MYSQL_ROOT_HOST={{ GLOBALS.manager }} + - MYSQL_ROOT_HOST={{ GLOBALS.so_docker_bip }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro From 1289500e0382a833bdadeed4db2a2dc2d436ccda Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 09:55:49 -0500 Subject: [PATCH 195/470] unfix playbook fix --- salt/docker/defaults.yaml | 2 +- salt/firewall/ports/ports.yaml | 2 +- salt/playbook/automation_user_create.sls | 2 +- salt/playbook/files/automation_user_create.sh | 4 ++-- salt/soctopus/files/SOCtopus.conf | 4 ++-- salt/soctopus/init.sls | 1 + salt/strelka/init.sls | 5 +++++ 7 files changed, 13 insertions(+), 7 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 8ccb7cf2d..1fcc114b1 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -56,7 +56,7 @@ docker: 'so-playbook': final_octet: 32 port_bindings: - - 0.0.0.0:3200:3000 + - 0.0.0.0:3000:3000 'so-redis': final_octet: 33 port_bindings: diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml index d26b373cb..22c6c8b09 100644 --- a/salt/firewall/ports/ports.yaml +++ b/salt/firewall/ports/ports.yaml @@ -50,7 +50,7 @@ firewall: - 443 playbook: tcp: - - 3200 + - 3000 redis: tcp: - 6379 diff --git a/salt/playbook/automation_user_create.sls b/salt/playbook/automation_user_create.sls index dd4620c95..49ec2e795 100644 --- a/salt/playbook/automation_user_create.sls +++ b/salt/playbook/automation_user_create.sls @@ -7,7 +7,7 @@ include: wait_for_playbook: cmd.run: - - name: until nc -z {{ GLOBALS.manager }} 3200; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager }} 3000; do sleep 1; done - timeout: 300 create_user: diff --git a/salt/playbook/files/automation_user_create.sh b/salt/playbook/files/automation_user_create.sh index 7279d13cc..1530e9338 100644 --- a/salt/playbook/files/automation_user_create.sh +++ b/salt/playbook/files/automation_user_create.sh @@ -13,7 +13,7 @@ while [[ $try_count -le 6 ]]; do # Create user and retrieve api_key and user_id from response mapfile -t automation_res < <( - curl -s --location --request POST 'http://127.0.0.1:3200/playbook/users.json' --user "admin:{{ admin_pass }}" --header 'Content-Type: application/json' --data '{ + curl -s --location --request POST 'http://127.0.0.1:3000/playbook/users.json' --user "admin:{{ admin_pass }}" --header 'Content-Type: application/json' --data '{ "user" : { "login" : "automation", "password": "{{ automation_pass }}", @@ -28,7 +28,7 @@ while [[ $try_count -le 6 ]]; do automation_user_id=${automation_res[1]} # Add user_id from newly created user to Automation group - curl -s --location --request POST "http://127.0.0.1:3200/playbook/groups/${automation_group}/users.json" \ + curl -s --location --request POST "http://127.0.0.1:3000/playbook/groups/${automation_group}/users.json" \ --user "admin:{{ admin_pass }}" \ --header 'Content-Type: application/json' \ --data "{ diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 7c516dd37..d9dd03f16 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -63,10 +63,10 @@ slack_url = YOURSLACKWORKSPACE slack_webhook = YOURSLACKWEBHOOK [soc] -soc_url = http://{{ GLOBALS.manager_ip }}:9822 +soc_url = http://{{ GLOBALS.manager }}:9822 [playbook] -playbook_url = http://{{ GLOBALS.manager_ip }}:3200/playbook +playbook_url = http://{{ GLOBALS.manager }}:3000/playbook playbook_ext_url = https://{{ GLOBALS.url_base }}/playbook playbook_key = {{ PLAYBOOK_KEY }} playbook_verifycert = no diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index fe9cb6d60..203950bb4 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -81,6 +81,7 @@ so-soctopus: {% endfor %} - extra_hosts: - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - require: - file: soctopusconf - file: navigatordefaultlayer diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 796533c2d..7e623408b 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -172,6 +172,7 @@ strelka_coordinator: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} @@ -190,6 +191,7 @@ strelka_gatekeeper: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} @@ -212,6 +214,7 @@ strelka_frontend: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} @@ -250,6 +253,7 @@ strelka_manager: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-strelka-manager_so-status.conf: file.append: @@ -267,6 +271,7 @@ strelka_filestream: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-strelka-filestream_so-status.conf: file.append: From 39361c2ab0491f59e24207bd0777bf8a95c1ce4d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 10:01:27 -0500 Subject: [PATCH 196/470] unfix playbook fix --- salt/strelka/init.sls | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 7e623408b..d29053229 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -172,7 +172,8 @@ strelka_coordinator: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} @@ -191,7 +192,8 @@ strelka_gatekeeper: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} @@ -214,7 +216,8 @@ strelka_frontend: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} @@ -236,6 +239,8 @@ strelka_backend: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - restart_policy: on-failure append_so-strelka-backend_so-status.conf: @@ -253,7 +258,8 @@ strelka_manager: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-strelka-manager_so-status.conf: file.append: @@ -271,7 +277,8 @@ strelka_filestream: - sobridge: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-strelka-filestream_so-status.conf: file.append: From 29cf95d6eba8a7534b75f24ecbfbc494aa7699a3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 10:06:43 -0500 Subject: [PATCH 197/470] remove yum versionlock --- salt/yum/packages.sls | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/yum/packages.sls b/salt/yum/packages.sls index 50f763b0f..f70fa20be 100644 --- a/salt/yum/packages.sls +++ b/salt/yum/packages.sls @@ -2,6 +2,3 @@ install_yum_utils: pkg.installed: - name: yum-utils -install_yum_versionlock: - pkg.installed: - - name: yum-plugin-versionlock From d3c5d0569a7d03ce9794d26e669448b5b1899e09 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 24 Feb 2023 10:20:02 -0500 Subject: [PATCH 198/470] Remove FleetDM tool instead of deactivating it --- salt/soc/defaults.yaml | 5 ----- salt/soc/merged.map.jinja | 2 -- 2 files changed, 7 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 0723f2da9..9a468902c 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1091,11 +1091,6 @@ soc: icon: fa-external-link-alt target: so-playbook link: /playbook/projects/detection-playbooks/issues/ - - name: toolFleet - description: toolFleetHelp - icon: fa-external-link-alt - target: so-fleet - link: /fleet/ - name: toolNavigator description: toolNavigatorHelp icon: fa-external-link-alt diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja index 4ae7ce38e..0b5badba1 100644 --- a/salt/soc/merged.map.jinja +++ b/salt/soc/merged.map.jinja @@ -25,8 +25,6 @@ {% do SOCMERGED.server.client.inactiveTools.append('toolPlaybook') %} {% endif %} -{% do SOCMERGED.server.client.inactiveTools.append('toolFleet') %} - {% set standard_actions = SOCMERGED.pop('actions') %} {% if pillar.global.endgamehost is defined %} {% set endgame_dict = { From 316db8558432a4197d9e670c8508ce8ecb94e30a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 24 Feb 2023 10:20:23 -0500 Subject: [PATCH 199/470] Generate SOC SRVKey during setup --- salt/soc/soc_soc.yaml | 5 +++++ setup/so-functions | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e6b43cf0b..17737abe4 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -47,6 +47,11 @@ soc: global: True advanced: True server: + srvKey: + description: Unique key for protecting the integrity of user submitted data via the web browser. + global: True + sensitive: True + advanced: True maxPacketCount: description: Maximum number of packets to show in the PCAP viewer. Larger values can cause more resource utilization on both the SOC server and the browser. global: True diff --git a/setup/so-functions b/setup/so-functions index 8139b60a1..dc5d21f08 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1245,6 +1245,7 @@ generate_passwords(){ SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) + SOCSRVKEY=$(get_random_value 64) } generate_interface_vars() { @@ -1380,7 +1381,11 @@ idstools_pillar() { soc_pillar() { title "Creating the SOC pillar" touch $adv_soc_pillar_file - touch $soc_pillar_file + printf '%s\n'\ + "soc:"\ + " server:"\ + " srvKey: '$SOCSRVKEY'"\ + "" > "$soc_pillar_file" } telegraf_pillar() { From 99105c7563b87bf8f37473e9062448354479e1d6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 10:43:41 -0500 Subject: [PATCH 200/470] Add fireall custom groups --- salt/firewall/custom_groups/groups | 0 salt/firewall/soc_firewall.yaml | 7 +++++++ 2 files changed, 7 insertions(+) create mode 100644 salt/firewall/custom_groups/groups diff --git a/salt/firewall/custom_groups/groups b/salt/firewall/custom_groups/groups new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 614f98190..ff2409b54 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,4 +1,11 @@ firewall: + custom_groups: + groups: + description: List of group names to create. + file: True + global: True + title: Custom Firewall Groups + helpLink: firewall.html#host-groups hostgroups: analyst_workstations: description: List of IP addresses or CIDR blocks to allow analyst workstations. From a0eb505db036d303f18687e08561d603b0a3cf36 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 11:12:17 -0500 Subject: [PATCH 201/470] Add fireall custom groups --- .../firewall/{soc_firewall.yaml => defaults_soc_firewall.yaml} | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) rename salt/firewall/{soc_firewall.yaml => defaults_soc_firewall.yaml} (98%) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/defaults_soc_firewall.yaml similarity index 98% rename from salt/firewall/soc_firewall.yaml rename to salt/firewall/defaults_soc_firewall.yaml index ff2409b54..718cba441 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/defaults_soc_firewall.yaml @@ -2,7 +2,8 @@ firewall: custom_groups: groups: description: List of group names to create. - file: True + multiline: True + forcedType: "[]string" global: True title: Custom Firewall Groups helpLink: firewall.html#host-groups From a25acb45581a81af30f36b6b5e6cc27a9bbfe8dc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 12:19:57 -0500 Subject: [PATCH 202/470] comment out minion installs for now --- setup/so-functions | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 64248c30f..be5c7e314 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2031,13 +2031,13 @@ saltify() { # THIS IS A TEMP HACK logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" logCmd "mkdir -p /etc/salt/minion.d" - if [[ $waitforstate ]]; then - # Since this is a salt master so let's install it - logCmd "" - else - # We just need the minion - logCmd "dnf -y install salt-minion" - fi + #if [[ $waitforstate ]]; then + # # Since this is a salt master so let's install it + # logCmd "" + #else + # # We just need the minion + # logCmd "dnf -y install salt-minion" + #fi fi } From afccd3f820a4ddbf8551551de56bb6f2722cd9d6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Feb 2023 12:21:14 -0500 Subject: [PATCH 203/470] comment out minion installs for now --- salt/firewall/custom_groups/groups | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 salt/firewall/custom_groups/groups diff --git a/salt/firewall/custom_groups/groups b/salt/firewall/custom_groups/groups deleted file mode 100644 index e69de29bb..000000000 From 3e2e68fbd023d22fd69a5a339425087e83eeeadd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 14:24:47 -0500 Subject: [PATCH 204/470] custom hostgroups in soc --- salt/firewall/{ => soc}/defaults_soc_firewall.yaml | 0 salt/firewall/soc/init.sls | 5 +++++ salt/firewall/soc/soc.map.jinja | 2 ++ salt/firewall/soc/soc_firewall.yaml.jinja | 1 + 4 files changed, 8 insertions(+) rename salt/firewall/{ => soc}/defaults_soc_firewall.yaml (100%) create mode 100644 salt/firewall/soc/init.sls create mode 100644 salt/firewall/soc/soc.map.jinja create mode 100644 salt/firewall/soc/soc_firewall.yaml.jinja diff --git a/salt/firewall/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml similarity index 100% rename from salt/firewall/defaults_soc_firewall.yaml rename to salt/firewall/soc/defaults_soc_firewall.yaml diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls new file mode 100644 index 000000000..2530606cc --- /dev/null +++ b/salt/firewall/soc/init.sls @@ -0,0 +1,5 @@ +soc_firewall_yaml: + file.managed: + - name: /opt/so/saltstack/local/salt/firewall/soc_firewall.yaml + - source: salt://firewall/soc/soc_firewall.yaml.jinja + - template: jinja diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja new file mode 100644 index 000000000..cd3fa0401 --- /dev/null +++ b/salt/firewall/soc/soc.map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} +{% set SOC_FIREWALL = salt['pillar.get'}('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja new file mode 100644 index 000000000..916fd83d1 --- /dev/null +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -0,0 +1 @@ +{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} From 29c68c1273a7970c25d8446bd13c2442992b100a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 14:32:35 -0500 Subject: [PATCH 205/470] fix bracket, add output to template --- salt/firewall/soc/soc.map.jinja | 2 +- salt/firewall/soc/soc_firewall.yaml.jinja | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja index cd3fa0401..7e86d5252 100644 --- a/salt/firewall/soc/soc.map.jinja +++ b/salt/firewall/soc/soc.map.jinja @@ -1,2 +1,2 @@ {% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} -{% set SOC_FIREWALL = salt['pillar.get'}('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} +{% set SOC_FIREWALL = salt['pillar.get']('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index 916fd83d1..0a8a4761f 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1 +1,3 @@ {% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} + +{{ SOC_FIREWALL | yaml(false) }} From d502d95dba620c14509214c6d80093c7b507d72a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:24:02 -0500 Subject: [PATCH 206/470] changes for soc firewall --- pillar/top.sls | 8 ++++++++ salt/firewall/soc/soc.map.jinja | 9 ++++++++- salt/firewall/soc/soc_firewall.yaml.jinja | 3 +-- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 86de8709e..41d3265f0 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -60,6 +60,8 @@ base: - elasticsearch.adv_elasticsearch - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -94,6 +96,8 @@ base: - influxdb.adv_influxdb - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -125,6 +129,8 @@ base: - soc.soc_soc - backup.soc_backup - backup.adv_backup + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} @@ -197,6 +203,8 @@ base: - redis.adv_redis - influxdb.soc_influxdb - influxdb.adv_influxdb + - firewall.soc_firewall + - firewall.adv_firewall - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/firewall/soc/soc.map.jinja b/salt/firewall/soc/soc.map.jinja index 7e86d5252..00fc50dd1 100644 --- a/salt/firewall/soc/soc.map.jinja +++ b/salt/firewall/soc/soc.map.jinja @@ -1,2 +1,9 @@ {% import_yaml 'firewall/soc/defaults_soc_firewall.yaml' as DEFAULT_SOC_FIREWALL %} -{% set SOC_FIREWALL = salt['pillar.get']('firewall:custom_groups:groups', DEFAULT_SOC_FIREWALL.firewall.hostgroups, merge=True) %} +{% set PILLAR_SOC_FIREWALL_GROUPS = salt['pillar.get']('firewall:custom_groups:groups', {}) %} +{% set SOC_FIREWALL = DEFAULT_SOC_FIREWALL %} + +{% for group in PILLAR_SOC_FIREWALL_GROUPS %} +{% set description = 'List of IP addresses or CIDR blocks to allow for ' ~ group ~ ' hostgroup.' %} +{% set title = group[0]|upper ~ group[1:] %} +{% do SOC_FIREWALL.firewall.hostgroups.update({group:{'description': description, 'file': 'True', 'global': 'True', 'title': title, 'helpLink': 'firewall.html#host-groups'}}) %} +{% endfor %} diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index 0a8a4761f..bc6a429f0 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1,3 +1,2 @@ -{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL %} - +{% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%} {{ SOC_FIREWALL | yaml(false) }} From fa5b9799f51c59581bff85c0f6125aa3878fe58c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:26:39 -0500 Subject: [PATCH 207/470] add firewall.soc to top for managers --- salt/top.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 25ec1ccd4..c09974418 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -77,6 +77,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools @@ -121,6 +122,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - manager @@ -163,6 +165,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools @@ -227,6 +230,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - manager @@ -296,6 +300,7 @@ base: - telegraf - influxdb - soc + - firewall.soc - kratos - firewall - idstools From 6b486d96047f66e73b1055d19da53c2c0e75b1f4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 15:55:27 -0500 Subject: [PATCH 208/470] move to default --- salt/firewall/soc/init.sls | 2 +- salt/firewall/soc/soc_firewall.yaml.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/firewall/soc/init.sls b/salt/firewall/soc/init.sls index 2530606cc..bae1a3048 100644 --- a/salt/firewall/soc/init.sls +++ b/salt/firewall/soc/init.sls @@ -1,5 +1,5 @@ soc_firewall_yaml: file.managed: - - name: /opt/so/saltstack/local/salt/firewall/soc_firewall.yaml + - name: /opt/so/saltstack/default/salt/firewall/soc_firewall.yaml - source: salt://firewall/soc/soc_firewall.yaml.jinja - template: jinja diff --git a/salt/firewall/soc/soc_firewall.yaml.jinja b/salt/firewall/soc/soc_firewall.yaml.jinja index bc6a429f0..0502c0246 100644 --- a/salt/firewall/soc/soc_firewall.yaml.jinja +++ b/salt/firewall/soc/soc_firewall.yaml.jinja @@ -1,2 +1,2 @@ {% from 'firewall/soc/soc.map.jinja' import SOC_FIREWALL -%} -{{ SOC_FIREWALL | yaml(false) }} +{{ SOC_FIREWALL | yaml(False) }} From d12ea041bf5860fa13dad73e95a76cf5f5e8918a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Feb 2023 16:20:16 -0500 Subject: [PATCH 209/470] capitalize --- salt/firewall/soc/defaults_soc_firewall.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/firewall/soc/defaults_soc_firewall.yaml b/salt/firewall/soc/defaults_soc_firewall.yaml index 718cba441..fd72df523 100644 --- a/salt/firewall/soc/defaults_soc_firewall.yaml +++ b/salt/firewall/soc/defaults_soc_firewall.yaml @@ -31,40 +31,40 @@ firewall: file: True global: True title: Beats Endpoints SSL - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups elastic_agent_endpoint: description: List of IP addresses or CIDR blocks for Elastic Agent connections. file: True global: True title: Elastic Agents - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups elasticsearch_rest: description: List of IP addresses or CIDR blocks to allow access directly to Elasticsearch. file: True global: True title: Elasticsearch Rest advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups endgame: description: List of IP addresses or CIDR blocks to allow Endgame access. file: True global: True title: Endgame advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups strelka_frontend: description: List of IP addresses or CIDR blocks to allow access to the Strelka front end. file: True global: True title: Strelka Frontend advanced: True - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups syslog: description: List of IP addresses or CIDR blocks to allow syslog. file: True global: True title: Syslog Endpoint Traffic - helplink: firewall.html#host-groups + helpLink: firewall.html#host-groups standalone: description: List of IP addresses or CIDR blocks to allow standalone connections. file: True From f7176f998912f071408a3e6c29515b26112f836f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 27 Feb 2023 09:58:43 -0500 Subject: [PATCH 210/470] Move Output to ES --- salt/common/tools/sbin/so-elastic-fleet-setup | 5 +++++ salt/elastic-fleet/install_agent_grid.sls | 2 +- salt/firewall/ports/ports.yaml | 1 + salt/top.sls | 10 ++++++++++ 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index b82890faa..b7bf1b3c3 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -84,6 +84,11 @@ printf '%s\n'\ " url: '{{ GLOBALS.manager_ip }}'"\ "" >> "$pillar_file" +#Store Grid Nodes Enrollment token in Global pillar +global_pillar_file=/opt/so/saltstack/local/pillar/soc_global.sls +printf '%s\n'\ + " fleet_grid_enrollment_token: '$GRIDNODESENROLLMENTOKEN'"\ + "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State salt-call state.apply elastic-fleet queue=True diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elastic-fleet/install_agent_grid.sls index 857e31315..2f848ac2e 100644 --- a/salt/elastic-fleet/install_agent_grid.sls +++ b/salt/elastic-fleet/install_agent_grid.sls @@ -2,7 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. -{%- set GRIDNODETOKEN = salt['pillar.get']('elasticfleet:server:grid_enrollment') -%} +{%- set GRIDNODETOKEN = salt['pillar.get']('global:fleet_grid_enrollment_token') -%} {% set AGENT_STATUS = salt['service.available']('elastic-agent') %} {% if not AGENT_STATUS %} diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml index 22c6c8b09..de0539258 100644 --- a/salt/firewall/ports/ports.yaml +++ b/salt/firewall/ports/ports.yaml @@ -32,6 +32,7 @@ firewall: elastic_agent_data: tcp: - 5055 + - 9200 endgame: tcp: - 3765 diff --git a/salt/top.sls b/salt/top.sls index 25ec1ccd4..0a57f6e4e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -63,6 +63,7 @@ base: {%- endif %} - schedule - docker_clean + - elastic-fleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': - match: compound @@ -108,6 +109,7 @@ base: - playbook - redis {%- endif %} + - elastic-fleet.install_agent_grid - docker_clean '*_manager and G@saltversion:{{saltversion}}': @@ -148,6 +150,7 @@ base: - schedule - soctopus - playbook + - elastic-fleet.install_agent_grid - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -199,6 +202,7 @@ base: - playbook - docker_clean - elastic-fleet + - elastic-fleet.install_agent_grid '*_searchnode and G@saltversion:{{saltversion}}': - match: compound @@ -214,6 +218,7 @@ base: - logstash {%- endif %} - schedule + - elastic-fleet.install_agent_grid - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': @@ -254,6 +259,7 @@ base: - schedule - soctopus - playbook + - elastic-fleet.install_agent_grid - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -282,6 +288,7 @@ base: - zeek {%- endif %} - schedule + - elastic-fleet.install_agent_grid - docker_clean '*_import and G@saltversion:{{saltversion}}': @@ -312,6 +319,7 @@ base: - zeek - schedule - docker_clean + - elastic-fleet.install_agent_grid - elastic-fleet '*_receiver and G@saltversion:{{saltversion}}': @@ -327,6 +335,7 @@ base: - redis {%- endif %} - schedule + - elastic-fleet.install_agent_grid - docker_clean '*_idh and G@saltversion:{{saltversion}}': @@ -336,6 +345,7 @@ base: - telegraf - firewall - schedule + - elastic-fleet.install_agent_grid - docker_clean - idh From b4015ac73e7ed18f557bf06e94332f51c7b35697 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Feb 2023 10:05:08 -0500 Subject: [PATCH 211/470] add sensor to node_containers --- salt/firewall/containers.map.jinja | 25 +++++++++++++------------ salt/firewall/init.sls | 10 ++++++++++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index bd4cf72f1..a2114258f 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -22,9 +22,8 @@ 'so-strelka-manager', 'so-strelka-filestream' ] %} -{% endif %} -{% if GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %} +{% elif GLOBALS.role == 'so-manager' or GLOBALS.role == 'so-standalone' or GLOBALS.role == 'so-managersearch' %} {% set NODE_CONTAINERS = [ 'so-curator', 'so-dockerregistry', @@ -47,17 +46,15 @@ 'so-strelka-manager', 'so-strelka-filestream' ] %} -{% endif %} -{% if GLOBALS.role == 'so-searchnode' %} +{% elif GLOBALS.role == 'so-searchnode' %} {% set NODE_CONTAINERS = [ 'so-elasticsearch', 'so-logstash', 'so-nginx' ] %} -{% endif %} -{% if GLOBALS.role == 'so-heavynode' %} +{% elif GLOBALS.role == 'so-heavynode' %} {% set NODE_CONTAINERS = [ 'so-curator', 'so-elasticsearch', @@ -71,9 +68,8 @@ 'so-strelka-manager', 'so-strelka-filestream' ] %} -{% endif %} -{% if GLOBALS.role == 'so-import' %} +{% elif GLOBALS.role == 'so-import' %} {% set NODE_CONTAINERS = [ 'so-dockerregistry', 'so-elasticsearch', @@ -85,17 +81,22 @@ 'so-nginx', 'so-soc' ] %} -{% endif %} -{% if GLOBALS.role == 'so-receiver' %} +{% elif GLOBALS.role == 'so-receiver' %} {% set NODE_CONTAINERS = [ 'so-logstash', 'so-redis', ] %} -{% endif %} -{% if GLOBALS.role == 'so-idh' %} +{% elif GLOBALS.role == 'so-idh' %} {% set NODE_CONTAINERS = [ 'so-idh', ] %} + +{% elif GLOBALS.role == 'so-sensor' %} +{% set NODE_CONTAINERS = [] %} + +{% else %} +{% set NODE_CONTAINERS = [] %} + {% endif %} diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 12aaed39e..63e8d326b 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -5,6 +5,8 @@ disable_firewalld: service.dead: - name: firewalld - enable: False + - prereq: + - file: iptables_config create_sysconfig_iptables: file.touch: @@ -22,6 +24,14 @@ iptables_restore: cmd.run: - name: iptables-restore < /etc/sysconfig/iptables +enable_firewalld: + service.enabled: + - name: firewalld + - enable: True + - onfail: + - file: iptables_config + - cmd: iptables_restore + {% else %} {{sls}}_state_not_allowed: From 068d383442c165617bd497ae5a9e91aab15f3c12 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Feb 2023 12:44:46 -0500 Subject: [PATCH 212/470] change to service.running --- salt/firewall/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 63e8d326b..7feb8dd3b 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -25,7 +25,7 @@ iptables_restore: - name: iptables-restore < /etc/sysconfig/iptables enable_firewalld: - service.enabled: + service.running: - name: firewalld - enable: True - onfail: From 44ed48033cd77c67c811c8a8d7a3e649f95970d2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Feb 2023 13:04:23 -0500 Subject: [PATCH 213/470] move requirement --- salt/firewall/init.sls | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 7feb8dd3b..f59a39aca 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,13 +1,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -disable_firewalld: - service.dead: - - name: firewalld - - enable: False - - prereq: - - file: iptables_config - create_sysconfig_iptables: file.touch: - name: /etc/sysconfig/iptables @@ -20,6 +13,13 @@ iptables_config: - source: salt://firewall/iptables.jinja - template: jinja +disable_firewalld: + service.dead: + - name: firewalld + - enable: False + - require: + - file: iptables_config + iptables_restore: cmd.run: - name: iptables-restore < /etc/sysconfig/iptables From 9967e918255e37e453f721c74dd6afaa7d265bcf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Feb 2023 13:42:11 -0500 Subject: [PATCH 214/470] remove mysql check --- salt/mysql/init.sls | 2 -- setup/so-verify | 5 ++++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index c077695b8..8c4edc651 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -112,8 +112,6 @@ so-mysql: - onchanges: - docker_container: so-mysql module.run: - - so.mysql_conn: - - retry: 300 - onchanges: - cmd: so-mysql diff --git a/setup/so-verify b/setup/so-verify index 44c0465ff..f2b5a76b6 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -36,11 +36,14 @@ log_has_errors() { grep -vE "The Salt Master has cached the public key for this node" | \ grep -vE "Minion failed to authenticate with the master" | \ grep -vE "Failed to connect to ::1" | \ - grep -vE "Failed to set locale" | \ + grep -vE "Failed to set locale" | \ grep -vE "perl-Error-" | \ grep -vE "Failed:\s*?[0-9]+" | \ grep -vE "Status .* was not found" | \ grep -vE "Uncaught exception, closing connection" | \ + grep -vE "Server does not appear to be running or fully initialized - will try again in 10 seconds" | \ + grep -vE "Command 'so-influxdb-manage' failed with return code" | \ + grep -vE "retcode: 1" | \ grep -vE "Exception in callback None" | \ grep -vE "deprecation: ERROR" | \ grep -vE "code: 100" | \ From aa7b05d639d992c9c4e16e162ff3a67de49a49c2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Feb 2023 14:12:26 -0500 Subject: [PATCH 215/470] small cleanup --- salt/allowed_states.map.jinja | 9 +-- salt/manager/files/acng/acng.conf | 96 ------------------------------- salt/mysql/init.sls | 14 ----- salt/top.sls | 4 -- salt/yum/packages.sls | 4 -- 5 files changed, 1 insertion(+), 126 deletions(-) delete mode 100644 salt/manager/files/acng/acng.conf delete mode 100644 salt/yum/packages.sls diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index bc2a7c86b..3548a7f0d 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -250,14 +250,7 @@ {% if REDIS and grains.role in ['so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('redis') %} {% endif %} - - {% if grains.os == 'Rocky' %} - {% if not ISAIRGAP %} - {% do allowed_states.append('yum') %} - {% endif %} - {% do allowed_states.append('yum.packages') %} - {% endif %} - + {# all nodes on the right salt version can run the following states #} {% do allowed_states.append('common') %} {% do allowed_states.append('patch.os.schedule') %} diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf deleted file mode 100644 index 1f1f53754..000000000 --- a/salt/manager/files/acng/acng.conf +++ /dev/null @@ -1,96 +0,0 @@ -# This is a configuration file for apt-cacher-ng, a smart caching proxy for -CacheDir: /var/cache/apt-cacher-ng -LogDir: /var/log/apt-cacher-ng -Port: 3142 -# BindAddress: localhost 192.168.7.254 publicNameOnMainInterface -Remap-debrep: file:deb_mirror*.gz /debian ; file:backends_debian # Debian Archives -Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu.us # Ubuntu Archives -Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here -Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux -Remap-centosmirrorlist: mirrorlist.centos.org -Remap-centos: file:centos_mirrors ; file:backends_centos.us # Fedora Linux -Remap-fedora: file:fedora_mirrors ; file:backends_fedora.us # Fedora Linux -Remap-epel: file:epel_mirrors ; file:backends_epel.us # Fedora EPEL -Remap-slrep: file:sl_mirrors # Scientific Linux -Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives -#Remap-alpine: file:alpine_mirrors /alpine #; dl-cdn.alpinelinux.org # Alpine Archives -Remap-alpine: dl-cdn.alpinelinux.org -Remap-yarn: registry.yarnpkg.com -Remap-npm: registry.npmjs.org -Remap-node: nodejs.org -Remap-apache: file:apache_mirrors ; file:backends_apache.us -Remap-salt: repo.saltstack.com; https://repo.saltstack.com -Remap-securityonion: http://repocache.securityonion.net ; file:securityonion -# Remap-secdeb: security.debian.org -ReportPage: acng-report.html -# SocketPath:/var/run/apt-cacher-ng/socket -UnbufferLogs: 1 -VerboseLog: 1 -ForeGround: 1 -# PidFile: /var/run/apt-cacher-ng/pid -# Offlinemode: 0 -# ForceManaged: 0 -ExTreshold: 8 -# ExAbortOnProblems: 1 -# ExSuppressAdminNotification: 1 -# StupidFs: 0 -# ForwardBtsSoap: 1 -# DnsCacheSeconds: 1800 -# MaxStandbyConThreads: 8 -MaxConThreads: 120 -# -# - static data that doesn't change silently ont he server (PFilePattern) -# - volatile data that can be changed like every hour (VFilePattern) -# - special static data that shared some file names with volatile data, -# and in doubt should be identified as static (SPfilePattern) -# - a "whitelist pattern" with hints for the regular expiration job telling -# to keep the files even if they are not referenced by others, like crypto -# signatures with which clients begin their downloads (WfilePattern) -# -VfilePatternEx: (metalink\?repo=[0-9a-zA-Z-]+&arch=[0-9a-zA-Z_-]+|/\?release=[0-9]+&arch=|repodata/.*\.(xml|sqlite)\.(gz|bz2)|APKINDEX.tar.gz|filelists\.xml\.gz|filelists\.sqlite\.bz2|repomd\.xml|packages\.[a-zA-Z][a-zA-Z]\.gz) -PfilePatternEx: (/dists/.*/by-hash/.*|\.tgz|\.tar|\.xz|\.bz2|\.rpm|\.apk)$ -# WfilePatternEx: -# SPfilePatternEx: - -Debug:1 -# ExposeOrigin: 0 -# LogSubmittedOrigin: 0 -# UserAgent: Yet Another HTTP Client/1.2.3p4 -# RecompBz2: 0 -# NetworkTimeout: 60 - -# DontCacheRequested: linux-.*_10\...\.Custo._i386 -# DontCacheRequested: 192.168.0 ^10\..* 172.30 -# DontCacheResolved: ubuntumirror.local.net -DontCache: mirrorlist.centos.org - -# DirPerms: 00755 -# FilePerms: 00664 - -LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng -# PrecacheFor: debrep/dists/unstable/*/source/Sources* debrep/dists/unstable/*/binary-amd64/Packages* -# RequestAppendix: X-Tracking-Choice: do-not-track\r\n -# ConnectProto: v6 v4 -# KeepExtraVersions: 0 -# UseWrap: 0 -FreshIndexMaxAge: 300 -# AllowUserPorts: 80 -RedirMax: 6 -# VfileUseRangeOps is set for fedora volatile files on mirrors that dont to range -VfileUseRangeOps: -1 -# PassThroughPattern: private-ppa\.launchpad\.net:443$ -# PassThroughPattern: .* # this would allow CONNECT to everything -PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|repo\.saltproject\.io:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ -# ResponseFreezeDetectTime: 500 -# ReuseConnections: 1 -# PipelineDepth: 255 -# CApath: /etc/ssl/certs -# CAfile: -# OptProxyTimeout: -1 -# MaxDlSpeed: 500 -# MaxInresponsiveDlSize: 64000 -# BadRedirDetectMime: text/html -{% set proxy = salt['pillar.get']('manager:proxy') -%} -{% if proxy -%} -Proxy: {{ proxy }} -{% endif -%} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 8c4edc651..44e6789af 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -106,20 +106,6 @@ so-mysql: - require: - file: mysqlcnf - file: mysqlpass - cmd.run: - - name: until nc -z {{ GLOBALS.manager }} 3306; do sleep 1; done - - timeout: 600 - - onchanges: - - docker_container: so-mysql - module.run: - - onchanges: - - cmd: so-mysql - -append_so-mysql_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-mysql - {% endif %} {% else %} diff --git a/salt/top.sls b/salt/top.sls index c09974418..e029e3e2c 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -28,10 +28,6 @@ base: - salt.minion-state-apply-test - salt.minion - 'G@os:Rocky and G@saltversion:{{saltversion}}': - - match: compound - - yum.packages - '* and G@saltversion:{{saltversion}}': - match: compound - salt.minion diff --git a/salt/yum/packages.sls b/salt/yum/packages.sls deleted file mode 100644 index f70fa20be..000000000 --- a/salt/yum/packages.sls +++ /dev/null @@ -1,4 +0,0 @@ -install_yum_utils: - pkg.installed: - - name: yum-utils - From 8d33f01936f45b12d36b098f184e04df44a9f760 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Feb 2023 15:01:31 -0500 Subject: [PATCH 216/470] Update defaults.map.jinja --- salt/soc/defaults.map.jinja | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 742d3d0dc..ff23914ec 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -2,7 +2,12 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} {%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% if salt['docker.pid']('so-influxdb') > 0 %} {%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} +{% else %} +{% set METRICS_LINK = '' %} +{% endif %} + {% for module, application_url in GLOBALS.application_urls.items() %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} @@ -20,7 +25,7 @@ {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.influxdb_host ~ ':8086'}) %} {% do SOCDEFAULTS.soc.server.modules.influxdb.update({'token': INFLUXDB_TOKEN}) %} {% for tool in SOCDEFAULTS.soc.server.client.tools %} -{% if tool.name == "toolInfluxDb" %} +{% if tool.name == "toolInfluxDb" and METRICS_LINK | length > 0 %} {% do tool.update({'link': METRICS_LINK}) %} {% endif %} {% endfor %} From 16929707893e6b90cb1e22073197a845ef5f6e3f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Feb 2023 15:22:08 -0500 Subject: [PATCH 217/470] back out verify changes since underlying errors should be fixed --- setup/so-verify | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup/so-verify b/setup/so-verify index f2b5a76b6..d9cbf9a88 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -41,9 +41,6 @@ log_has_errors() { grep -vE "Failed:\s*?[0-9]+" | \ grep -vE "Status .* was not found" | \ grep -vE "Uncaught exception, closing connection" | \ - grep -vE "Server does not appear to be running or fully initialized - will try again in 10 seconds" | \ - grep -vE "Command 'so-influxdb-manage' failed with return code" | \ - grep -vE "retcode: 1" | \ grep -vE "Exception in callback None" | \ grep -vE "deprecation: ERROR" | \ grep -vE "code: 100" | \ From 8632606a24ec1c2ef8b4510864f412da6d2ddb2f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Feb 2023 15:37:35 -0500 Subject: [PATCH 218/470] Update defaults.map.jinja --- salt/soc/defaults.map.jinja | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index ff23914ec..eb9e57cb3 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -1,11 +1,13 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} -{%- set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} -{% if salt['docker.pid']('so-influxdb') > 0 %} -{%- set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} -{% else %} -{% set METRICS_LINK = '' %} +{% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% if salt['docker.exists']('so-influxdb') %} +{% if salt['docker.pid']('so-influxdb') > 0 %} +{% set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} +{% else %} +{% set METRICS_LINK = '' %} +{% endif %} {% endif %} From cbcd3c9dd9dff3456e933f66fbe200710122a11b Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 27 Feb 2023 15:39:03 -0500 Subject: [PATCH 219/470] Update defaults.map.jinja --- salt/soc/defaults.map.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index eb9e57cb3..95bfb2a76 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -2,11 +2,10 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} {% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% set METRICS_LINK = '' %} {% if salt['docker.exists']('so-influxdb') %} {% if salt['docker.pid']('so-influxdb') > 0 %} {% set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} -{% else %} -{% set METRICS_LINK = '' %} {% endif %} {% endif %} From c00d6710988fa60ce907cc927cb81d1a76d45ebc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Feb 2023 09:40:57 -0500 Subject: [PATCH 220/470] backup influx dir --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 381c4b497..35d625faa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1832,6 +1832,7 @@ reinstall_init() { # Backup (and erase) directories in /nsm to prevent app errors backup_dir /nsm/mysql "$date_string" backup_dir /nsm/kratos "$date_string" + backup_dir /nsm/influxdb "$date_string" # Remove the old launcher package in case the config changes remove_package launcher-final From ff495cb20efc13e9341ad233459b9c875f362cae Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Feb 2023 10:41:44 -0500 Subject: [PATCH 221/470] fix formatting issue --- setup/so-verify | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-verify b/setup/so-verify index d9cbf9a88..8c68852be 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -36,7 +36,7 @@ log_has_errors() { grep -vE "The Salt Master has cached the public key for this node" | \ grep -vE "Minion failed to authenticate with the master" | \ grep -vE "Failed to connect to ::1" | \ - grep -vE "Failed to set locale" | \ + grep -vE "Failed to set locale" | \ grep -vE "perl-Error-" | \ grep -vE "Failed:\s*?[0-9]+" | \ grep -vE "Status .* was not found" | \ From d5df1a106afbecbd09bac8a355216afbf63b1679 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 13:43:52 -0500 Subject: [PATCH 222/470] refactor automated testing inputs due to streamlined setup process --- setup/so-functions | 2 +- setup/so-setup | 66 ++++++++++++++++++++++++---------------------- 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 381c4b497..ef9174e74 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -322,7 +322,7 @@ collect_hostname() { } collect_hostname_validate() { - if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi + if [[ -z "$TESTING" ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi whiptail_set_hostname "$HOSTNAME" diff --git a/setup/so-setup b/setup/so-setup index 6825afc9d..8a295afcd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -37,10 +37,10 @@ source ./so-variables # Parse command line arguments setup_type=$1 -automation=$2 +test_profile=$2 + WHATWOULDYOUSAYYAHDOHERE=setup -# This is for automation while [[ $# -gt 0 ]]; do arg="$1" shift @@ -49,12 +49,8 @@ while [[ $# -gt 0 ]]; do export TURBO="http://${arg#*=}";; "--proxy="* ) export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; - "--allow-role="* ) - export ALLOW_ROLE="${arg#*=}";; "--allow-cidr="* ) export ALLOW_CIDR="${arg#*=}";; - "--skip-reboot" ) - export SKIP_REBOOT=1;; * ) if [[ "$arg" == "--"* ]]; then echo "Invalid option" @@ -166,41 +162,47 @@ catch() { exit 1 } -automated=no - # Add the progress function for manager node type installs progress() { local msg=${1:-'Please wait while installing...'} - if [ $automated == no ]; then + if [ -z "$TESTING" ]; then whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text else cat >> $setup_log 2>&1 fi } -# If using automation let's do automation things. -if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then - info "Preselecting variable values based on automated setup: $automation" - source automation/$automation - automated=yes +if [ -n "$test_profile" ]; then + install_type="$(echo $test_profile |awk -F- '{print $1}')" + info "Activating test profile: $test_profile" - attempt=1 - attempts=60 - ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 - while [ $? -ne 0 ]; do - logCmd "ip a" - if [ $attempt -gt $attempts ]; then - error "Network unavailable - setup cannot continue" - exit 1 - fi - info "Waiting for network to come up (attempt $attempt of $attempts)" - attempt=$((attempt + 1)) - info "Sleeping 10s to try again" - sleep 10; - logCmd "ip a | grep '$MNIC:' | grep 'state UP'" - done - info "Network is up on $MNIC" + # The below settings are hardcoded purely for automated testing purposes. + TESTING=true + MSRV=manager + if [ "$test_profile" =~ *"-net" ]; then + address_type=DHCP + MSRVIP=10.66.166.72 + elif [ "$test_profile" =~ *"-cloud" ]; then + MSRVIP=10.99.1.20 + elif [ "$test_profile" =~ *"-iso" ]; then + MSRVIP=10.66.166.42 + elif [ "$test_profile" =~ *"-airgap" ]; then + MSRVIP=10.66.166.52 + fi + if [ -f "/root/public_ip" ]; then + REDIRECTHOST=$(cat /root/public_ip) + REDIRECTINFO=OTHER + else + REDIRECTINFO=IP + fi + ALLOW_CIDR=0.0.0.0/0 + MNIC=eth0 + BNICS=eth1 + HOSTNAME=$install_type + WEBUSER=onionuser@somewhere.invalid + WEBPASSWD1=0n10nus3r + WEBPASSWD2=0n10nus3r fi # Make sure the setup type is suppoted. @@ -227,7 +229,7 @@ dmesg -D # Kernel consoleblank is causing whiptail progress screen to appear to hang #1084 # https://github.com/Security-Onion-Solutions/securityonion/issues/1084 -if [ "$automated" == no ]; then +if [ -z "$TESTING" ]; then TTY=$(tty) info "Setup is running on TTY $TTY" if echo $TTY | grep -q "/dev/tty"; then @@ -283,7 +285,7 @@ if ! [[ -f $install_opt_file ]]; then compare_main_nic_ip fi - if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then + if [[ $setup_type == 'iso' ]] && [ -z "$TESTING" ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then collect_hostname From 9c3cc17153a248bd1bf02130a54e91dd177435e0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 13:44:38 -0500 Subject: [PATCH 223/470] refactor automated testing inputs due to streamlined setup process --- setup/automation/distributed-airgap-manager | 67 -------------------- setup/automation/distributed-airgap-search | 68 -------------------- setup/automation/distributed-airgap-sensor | 68 -------------------- setup/automation/distributed-cloud-manager | 66 ------------------- setup/automation/distributed-cloud-search | 68 -------------------- setup/automation/distributed-cloud-sensor | 68 -------------------- setup/automation/distributed-iso-manager | 66 ------------------- setup/automation/distributed-iso-search | 68 -------------------- setup/automation/distributed-iso-sensor | 70 --------------------- setup/automation/distributed-net-manager | 66 ------------------- setup/automation/distributed-net-search | 68 -------------------- setup/automation/distributed-net-sensor | 68 -------------------- setup/automation/eval-airgap | 67 -------------------- setup/automation/eval-cloud | 66 ------------------- setup/automation/eval-iso | 66 ------------------- setup/automation/eval-net | 66 ------------------- setup/automation/import-airgap | 67 -------------------- setup/automation/import-cloud | 66 ------------------- setup/automation/import-iso | 66 ------------------- setup/automation/import-net | 66 ------------------- setup/automation/standalone-airgap | 67 -------------------- setup/automation/standalone-cloud | 66 ------------------- setup/automation/standalone-iso | 66 ------------------- setup/automation/standalone-net | 66 ------------------- 24 files changed, 1606 deletions(-) delete mode 100644 setup/automation/distributed-airgap-manager delete mode 100644 setup/automation/distributed-airgap-search delete mode 100644 setup/automation/distributed-airgap-sensor delete mode 100644 setup/automation/distributed-cloud-manager delete mode 100644 setup/automation/distributed-cloud-search delete mode 100644 setup/automation/distributed-cloud-sensor delete mode 100644 setup/automation/distributed-iso-manager delete mode 100644 setup/automation/distributed-iso-search delete mode 100644 setup/automation/distributed-iso-sensor delete mode 100644 setup/automation/distributed-net-manager delete mode 100644 setup/automation/distributed-net-search delete mode 100644 setup/automation/distributed-net-sensor delete mode 100644 setup/automation/eval-airgap delete mode 100644 setup/automation/eval-cloud delete mode 100644 setup/automation/eval-iso delete mode 100644 setup/automation/eval-net delete mode 100644 setup/automation/import-airgap delete mode 100644 setup/automation/import-cloud delete mode 100644 setup/automation/import-iso delete mode 100644 setup/automation/import-net delete mode 100644 setup/automation/standalone-airgap delete mode 100644 setup/automation/standalone-cloud delete mode 100644 setup/automation/standalone-iso delete mode 100644 setup/automation/standalone-net diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager deleted file mode 100644 index f9d2e7cdc..000000000 --- a/setup/automation/distributed-airgap-manager +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=Distributed-manager -install_type=MANAGER -INTERWEBS=AIRGAP -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search deleted file mode 100644 index 897014f3a..000000000 --- a/setup/automation/distributed-airgap-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -# BASICZEEK=7 -# BASICSURI=7 -# BLOGS= -# BNICS=eth1 -# ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.52 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor deleted file mode 100644 index 7f6565595..000000000 --- a/setup/automation/distributed-airgap-sensor +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=Distributed-sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.52 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -# NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-cloud-manager b/setup/automation/distributed-cloud-manager deleted file mode 100644 index baaf4a11c..000000000 --- a/setup/automation/distributed-cloud-manager +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-manager -install_type=MANAGER -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT=0 -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-cloud-search b/setup/automation/distributed-cloud-search deleted file mode 100644 index 42c6b5726..000000000 --- a/setup/automation/distributed-cloud-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -#ALLOW_CIDR=0.0.0.0/0 -#ALLOW_ROLE=a -#BASICZEEK=7 -#BASICSURI=7 -# BLOGS= -#BNICS=ens6 -#ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -#MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.99.1.20 -# MTU= -#NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -#OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -#PLAYBOOK=1 -# REDIRECTHOST= -#REDIRECTINFO=HOSTNAME -#RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT=0 -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -#STRELKA=1 -#THEHIVE=0 -#WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-cloud-sensor b/setup/automation/distributed-cloud-sensor deleted file mode 100644 index bb7f8716f..000000000 --- a/setup/automation/distributed-cloud-sensor +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -#ALLOW_CIDR=0.0.0.0/0 -#ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -#MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.99.1.20 -# MTU= -#NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -#NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -#OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -#PLAYBOOK=1 -# REDIRECTHOST= -#REDIRECTINFO=HOSTNAME -#RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT=0 -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -#STRELKA=1 -#THEHIVE=0 -#WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager deleted file mode 100644 index c601d3283..000000000 --- a/setup/automation/distributed-iso-manager +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-manager -install_type=MANAGER -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search deleted file mode 100644 index 87165c053..000000000 --- a/setup/automation/distributed-iso-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -# BASICZEEK=7 -# BASICSURI=7 -# BLOGS= -# BNICS=eth1 -# ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.42 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=ADVANCED -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor deleted file mode 100644 index 6762488f7..000000000 --- a/setup/automation/distributed-iso-sensor +++ /dev/null @@ -1,70 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=Distributed-Sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.42 -MTU=1500 -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -# NODESETUP=NODEBASIC -NSMSETUP=ADVANCED -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -SURIPINS=(2 3) -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r -ZEEKPINS=(0 1) diff --git a/setup/automation/distributed-net-manager b/setup/automation/distributed-net-manager deleted file mode 100644 index fff5bdb39..000000000 --- a/setup/automation/distributed-net-manager +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-manager -install_type=MANAGER -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-search b/setup/automation/distributed-net-search deleted file mode 100644 index 8a3fb7784..000000000 --- a/setup/automation/distributed-net-search +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -# BASICZEEK=7 -# BASICSURI=7 -# BLOGS= -# BNICS=eth1 -# ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-search -install_type=SEARCHNODE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.72 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-net-sensor b/setup/automation/distributed-net-sensor deleted file mode 100644 index eb104f1a8..000000000 --- a/setup/automation/distributed-net-sensor +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -# ALLOW_CIDR=0.0.0.0/0 -# ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=distributed-sensor -install_type=SENSOR -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -# MANAGERADV=BASIC -MANAGERUPDATES=1 -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -MSRV=distributed-manager -MSRVIP=10.66.166.72 -# MTU= -# NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -# NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -# REDIRECTINFO=IP -# RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -# STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -# WEBUSER=onionuser@somewhere.invalid -# WEBPASSWD1=0n10nus3r -# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap deleted file mode 100644 index 45235ccda..000000000 --- a/setup/automation/eval-airgap +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -INTERWEBS=AIRGAP -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-cloud b/setup/automation/eval-cloud deleted file mode 100644 index 8a18cb78c..000000000 --- a/setup/automation/eval-cloud +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso deleted file mode 100644 index a0bddf54f..000000000 --- a/setup/automation/eval-iso +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-net b/setup/automation/eval-net deleted file mode 100644 index 9ecab5ee0..000000000 --- a/setup/automation/eval-net +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap deleted file mode 100644 index 1e3fdb70a..000000000 --- a/setup/automation/import-airgap +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=import -install_type=IMPORT -INTERWEBS=AIRGAP -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -# SOREMOTEPASS1=onionuser -# SOREMOTEPASS2=onionuser -STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-cloud b/setup/automation/import-cloud deleted file mode 100644 index e12b00863..000000000 --- a/setup/automation/import-cloud +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=import -install_type=IMPORT -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -# SOREMOTEPASS1=onionuser -# SOREMOTEPASS2=onionuser -STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-iso b/setup/automation/import-iso deleted file mode 100644 index ad111cff6..000000000 --- a/setup/automation/import-iso +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=import -install_type=IMPORT -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -# SOREMOTEPASS1=onionuser -# SOREMOTEPASS2=onionuser -STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/import-net b/setup/automation/import-net deleted file mode 100644 index e58a3961a..000000000 --- a/setup/automation/import-net +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -#BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=import -install_type=IMPORT -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -# OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -# PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -# SOREMOTEPASS1=onionuser -# SOREMOTEPASS2=onionuser -STRELKA=1 -# THEHIVE=0 -# WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap deleted file mode 100644 index 2c0a5af0f..000000000 --- a/setup/automation/standalone-airgap +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -INTERWEBS=AIRGAP -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-cloud b/setup/automation/standalone-cloud deleted file mode 100644 index 01b3120fb..000000000 --- a/setup/automation/standalone-cloud +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso deleted file mode 100644 index ea0f7ddb5..000000000 --- a/setup/automation/standalone-iso +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-net b/setup/automation/standalone-net deleted file mode 100644 index 23019f788..000000000 --- a/setup/automation/standalone-net +++ /dev/null @@ -1,66 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -TESTING=true - -# address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=IP -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r From 8f20e2bcb975bf8c8f4655f25b13eda38297a471 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 14:29:22 -0500 Subject: [PATCH 224/470] refactor automated testing inputs due to streamlined setup process --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8a295afcd..b7b178c08 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -180,14 +180,14 @@ if [ -n "$test_profile" ]; then # The below settings are hardcoded purely for automated testing purposes. TESTING=true MSRV=manager - if [ "$test_profile" =~ *"-net" ]; then + if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP MSRVIP=10.66.166.72 - elif [ "$test_profile" =~ *"-cloud" ]; then + elif [[ "$test_profile" =~ "-cloud" ]]; then MSRVIP=10.99.1.20 - elif [ "$test_profile" =~ *"-iso" ]; then + elif [[ "$test_profile" =~ "-iso" ]]; then MSRVIP=10.66.166.42 - elif [ "$test_profile" =~ *"-airgap" ]; then + elif [[ "$test_profile" =~ "-airgap" ]]; then MSRVIP=10.66.166.52 fi if [ -f "/root/public_ip" ]; then From d456f681f18f16fed105af6a7c47fc6c999eebcb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 14:45:21 -0500 Subject: [PATCH 225/470] refactor automated testing inputs due to streamlined setup process --- setup/so-functions | 4 ++-- setup/so-setup | 26 ++++++++++++++++---------- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ef9174e74..d044bf326 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -17,11 +17,11 @@ log() { } error() { - log "$1" "E" + log "$1" "ERROR" } info() { - log "$1" "I" + log "$1" "INFO" } title() { diff --git a/setup/so-setup b/setup/so-setup index b7b178c08..7cbc876b0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -175,20 +175,27 @@ progress() { if [ -n "$test_profile" ]; then install_type="$(echo $test_profile |awk -F- '{print $1}')" - info "Activating test profile: $test_profile" + info "Activating test profile; profile=$test_profile; install_type=$install_type" # The below settings are hardcoded purely for automated testing purposes. TESTING=true - MSRV=manager + if [[ "$test_profile" =~ "-sensor-" || "$test_profile" =~ "-search-" ]]; then + HOSTNAME=$test_profile + MSRV=manager + if [[ "$test_profile" =~ "-net" ]]; then + MSRVIP=10.66.166.72 + elif [[ "$test_profile" =~ "-cloud" ]]; then + MSRVIP=10.99.1.20 + elif [[ "$test_profile" =~ "-iso" ]]; then + MSRVIP=10.66.166.42 + elif [[ "$test_profile" =~ "-airgap" ]]; then + MSRVIP=10.66.166.52 + fi + else + HOSTNAME=manager + fi if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP - MSRVIP=10.66.166.72 - elif [[ "$test_profile" =~ "-cloud" ]]; then - MSRVIP=10.99.1.20 - elif [[ "$test_profile" =~ "-iso" ]]; then - MSRVIP=10.66.166.42 - elif [[ "$test_profile" =~ "-airgap" ]]; then - MSRVIP=10.66.166.52 fi if [ -f "/root/public_ip" ]; then REDIRECTHOST=$(cat /root/public_ip) @@ -199,7 +206,6 @@ if [ -n "$test_profile" ]; then ALLOW_CIDR=0.0.0.0/0 MNIC=eth0 BNICS=eth1 - HOSTNAME=$install_type WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r From 052e0dea2eaaf698ec5098837af2db82797c1f8d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Feb 2023 14:47:44 -0500 Subject: [PATCH 226/470] create and manage metrics_link in a file for soc --- salt/influxdb/init.sls | 8 ++++++++ salt/influxdb/metrics_link.txt | 0 salt/soc/defaults.map.jinja | 8 +------- 3 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 salt/influxdb/metrics_link.txt diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index f40b1b669..274502f46 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -117,6 +117,14 @@ influxdb-setup: - file: influxdb_curl_config - docker_container: so-influxdb +metrics_link_file: + file.managed: + - name: /opt/so/saltstack/local/salt/influxdb/metrics_link.txt + - contents: {{ salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') }} + - require: + - docker_container: so-influxdb + - cmd: influxdb-setup + # Install cron job to determine size of influxdb for telegraf get_influxdb_size: cron.present: diff --git a/salt/influxdb/metrics_link.txt b/salt/influxdb/metrics_link.txt new file mode 100644 index 000000000..e69de29bb diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index 95bfb2a76..e16f047e4 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -2,13 +2,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} {% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} -{% set METRICS_LINK = '' %} -{% if salt['docker.exists']('so-influxdb') %} -{% if salt['docker.pid']('so-influxdb') > 0 %} -{% set METRICS_LINK = salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') %} -{% endif %} -{% endif %} - +{% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% for module, application_url in GLOBALS.application_urls.items() %} {% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} From 749c299ed2c0a70d629310c409abaaf2f78b2bb4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 15:34:09 -0500 Subject: [PATCH 227/470] refactor automated testing inputs due to streamlined setup process --- setup/so-setup | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 7cbc876b0..69cbfbee1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -175,34 +175,38 @@ progress() { if [ -n "$test_profile" ]; then install_type="$(echo $test_profile |awk -F- '{print $1}')" + install_type=${install_type^^} info "Activating test profile; profile=$test_profile; install_type=$install_type" # The below settings are hardcoded purely for automated testing purposes. TESTING=true + if [[ "$test_profile" =~ "-sensor-" || "$test_profile" =~ "-search-" ]]; then HOSTNAME=$test_profile - MSRV=manager - if [[ "$test_profile" =~ "-net" ]]; then - MSRVIP=10.66.166.72 - elif [[ "$test_profile" =~ "-cloud" ]]; then - MSRVIP=10.99.1.20 - elif [[ "$test_profile" =~ "-iso" ]]; then - MSRVIP=10.66.166.42 - elif [[ "$test_profile" =~ "-airgap" ]]; then - MSRVIP=10.66.166.52 - fi else HOSTNAME=manager fi + + MSRV=manager if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP + MSRVIP=10.66.166.72 + elif [[ "$test_profile" =~ "-cloud" ]]; then + MSRVIP=10.99.1.20 + elif [[ "$test_profile" =~ "-iso" ]]; then + MSRVIP=10.66.166.42 + elif [[ "$test_profile" =~ "-airgap" ]]; then + is_airgap=true + MSRVIP=10.66.166.52 fi + if [ -f "/root/public_ip" ]; then REDIRECTHOST=$(cat /root/public_ip) REDIRECTINFO=OTHER else REDIRECTINFO=IP fi + ALLOW_CIDR=0.0.0.0/0 MNIC=eth0 BNICS=eth1 From 205e3440342dbd4e119b70b53bfaf9eef50d8482 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 15:40:08 -0500 Subject: [PATCH 228/470] dynamically choose test NICs in alphanumeric sort order --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 69cbfbee1..9f386c4a6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -208,8 +208,8 @@ if [ -n "$test_profile" ]; then fi ALLOW_CIDR=0.0.0.0/0 - MNIC=eth0 - BNICS=eth1 + MNIC=$(ls -1 /sys/class/net | head -1) + BNICS=$(ls -1 /sys/class/net | head -2 | tail -1) WEBUSER=onionuser@somewhere.invalid WEBPASSWD1=0n10nus3r WEBPASSWD2=0n10nus3r From 8772dcaa10bfd055b1b6efe81f6fc21a8377107e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Feb 2023 15:57:54 -0500 Subject: [PATCH 229/470] ensure influxdb is running --- salt/influxdb/init.sls | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 274502f46..fb62cb323 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -117,13 +117,14 @@ influxdb-setup: - file: influxdb_curl_config - docker_container: so-influxdb +{% if salt['docker.exists']('so-influxdb') %} +{% if salt['docker.pid']('so-influxdb') > 0 %} metrics_link_file: file.managed: - name: /opt/so/saltstack/local/salt/influxdb/metrics_link.txt - contents: {{ salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') }} - - require: - - docker_container: so-influxdb - - cmd: influxdb-setup +{% endif %} +{% endif %} # Install cron job to determine size of influxdb for telegraf get_influxdb_size: From 134caa7f58814c2ccc06e40e65eefefc49d1e28f Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 28 Feb 2023 16:31:16 -0500 Subject: [PATCH 230/470] Various adjustments to descriptions --- salt/elasticsearch/soc_elasticsearch.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 26d4890c2..05a812bbc 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -79,13 +79,13 @@ elasticsearch: phases: hot: min_age: - description: Minimum age + description: Minimum age of index. This determines when the index should be moved to the hot tier. global: True helpLink: elasticsearch.html actions: set_priority: priority: - description: Priority of index, used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. + description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. global: True helpLink: elasticsearch.html rollover: @@ -99,7 +99,7 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index, determining when it should be sent to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. global: True helpLink: elasticsearch.html actions: @@ -110,7 +110,7 @@ elasticsearch: helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index, determining when it should be deleted. + description: Minimum age of index. This determines when the index should be deleted. global: True helpLink: elastic so-endgame: *indexSettings From 13182fcda2f6792f79b61b3cf5a32d81b3e9557a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Feb 2023 16:31:17 -0500 Subject: [PATCH 231/470] refactor automated testing inputs due to streamlined setup process --- setup/so-setup | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 9f386c4a6..440965ca1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -181,8 +181,10 @@ if [ -n "$test_profile" ]; then # The below settings are hardcoded purely for automated testing purposes. TESTING=true - if [[ "$test_profile" =~ "-sensor-" || "$test_profile" =~ "-search-" ]]; then - HOSTNAME=$test_profile + if [[ "$test_profile" =~ "-sensor-" ]]; then + HOSTNAME=sensor + elif [[ "$test_profile" =~ "-search-" ]]; then + HOSTNAME=search else HOSTNAME=manager fi From c4e1ec781eed1beef3d6ed8269267ed6ed360a50 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Feb 2023 16:31:35 -0500 Subject: [PATCH 232/470] apply influxdb before highstate in setup --- setup/so-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 6825afc9d..e3221ed09 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -597,7 +597,8 @@ if ! [[ -f $install_opt_file ]]; then title "Seeding the docker registry" docker_seed_registry title "Applying the manager state" - logCmd "salt-call state.apply -l info manager" + logCmd "salt-call state.apply -l info manager" + logCmd "salt-call state.apply influxdb -l info" logCmd "salt-call state.highstate -l info" add_web_user info "Restarting SOC to pick up initial user" From a79c380e2b928e1ce13d79c4c3a99bc4af71fac5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Mar 2023 09:18:58 -0500 Subject: [PATCH 233/470] use cmd.run to populate metrics_link --- salt/influxdb/init.sls | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index fb62cb323..2bc23792d 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -117,14 +117,11 @@ influxdb-setup: - file: influxdb_curl_config - docker_container: so-influxdb -{% if salt['docker.exists']('so-influxdb') %} -{% if salt['docker.pid']('so-influxdb') > 0 %} metrics_link_file: - file.managed: - - name: /opt/so/saltstack/local/salt/influxdb/metrics_link.txt - - contents: {{ salt['cmd.run']('so-influxdb-manage dashboardpath "Security Onion Performance"') }} -{% endif %} -{% endif %} + cmd.run: + - name: so-influxdb-manage dashboardpath "Security Onion Performance" &> /opt/so/saltstack/local/salt/influxdb/metrics_link.txt + - require: + - docker_container: so-influxdb # Install cron job to determine size of influxdb for telegraf get_influxdb_size: From 704365c6eb482362f9c97dced54a87cd3d955983 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 1 Mar 2023 09:44:48 -0500 Subject: [PATCH 234/470] only stdout redirect --- salt/influxdb/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 2bc23792d..bd894a6d4 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -119,7 +119,7 @@ influxdb-setup: metrics_link_file: cmd.run: - - name: so-influxdb-manage dashboardpath "Security Onion Performance" &> /opt/so/saltstack/local/salt/influxdb/metrics_link.txt + - name: so-influxdb-manage dashboardpath "Security Onion Performance" > /opt/so/saltstack/local/salt/influxdb/metrics_link.txt - require: - docker_container: so-influxdb From af284b9aae447f9252468b438a996215e0c670dd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 1 Mar 2023 16:38:48 -0500 Subject: [PATCH 235/470] Update init.sls --- salt/curator/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index e62304bce..a06696b0f 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -142,6 +142,8 @@ so-curator: - file: actionconfs - file: curconf - file: curlogdir + - watch: + - file: curconf so-curatorclusterclose: cron.present: From 06d1f0f9133311b00382f525373c27852c69ba3f Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 2 Mar 2023 08:46:52 -0500 Subject: [PATCH 236/470] Update Curator configuration to align with requirements for Curator 8.0.x --- salt/curator/files/curator.yml | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 76888c94f..549310d73 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -15,20 +15,25 @@ --- # Remember, leave a key empty if there is no value. None will be a string, # not a Python "NoneType" -client: - hosts: - - {{elasticsearch}} - port: 9200 - username: "{{ ES_USER }}" - password: "{{ ES_PASS }}" - url_prefix: - use_ssl: True - certificate: - client_cert: - client_key: - ssl_no_validate: True - timeout: 30 - master_only: False +elasticsearch: + client: + hosts: + - https://{{elasticsearch}}:9200 + cloud_id: + ca_certs: + client_cert: + client_key: + verify_certs: False + request_timeout: 30 + other_settings: + api_key: + id: + api_key: + master_only: False +{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + username: "{{ ES_USER }}" + password: "{{ ES_PASS }}" +{%- endif %} logging: loglevel: INFO From 2b0ea8eb8b9fb91f42ddbf4925c141f59cca0197 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 2 Mar 2023 11:34:36 -0500 Subject: [PATCH 237/470] Update so-functions --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 35d625faa..15eb22d9d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1986,9 +1986,9 @@ repo_sync_local() { dnf repolist # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" - logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things - logCmd "dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # After the download is complete run createrepo create_repo From e6167dc34ac8f14f301716e445e9d56bd62cd179 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 2 Mar 2023 15:09:59 -0500 Subject: [PATCH 238/470] heavynode changes --- pillar/top.sls | 2 ++ salt/firewall/assigned_hostgroups.map.yaml | 4 ++-- salt/vars/heavynode.map.jinja | 17 +++++++++++++++++ setup/so-functions | 2 +- setup/so-setup | 2 +- 5 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 salt/vars/heavynode.map.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 41d3265f0..2f7894769 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -27,6 +27,8 @@ base: - logstash.soc_logstash - logstash.adv_logstash - elasticsearch.index_templates + - elasticsearch.soc_elasticsearch + - elasticsearch.adv_elasticsearch '*_manager': - logstash diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 0f748e6d6..2e54a5e9f 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -411,11 +411,9 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} - {% if TRUE_CLUSTER %} searchnodes: portgroups: - {{ portgroups.elasticsearch_node }} - {% endif %} self: portgroups: - {{ portgroups.syslog}} @@ -469,6 +467,8 @@ role: self: portgroups: - {{ portgroups.syslog}} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_rest }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} diff --git a/salt/vars/heavynode.map.jinja b/salt/vars/heavynode.map.jinja new file mode 100644 index 000000000..ccc241884 --- /dev/null +++ b/salt/vars/heavynode.map.jinja @@ -0,0 +1,17 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set HEAVYNODE_GLOBALS = + [ + SENSOR_GLOBALS, + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in HEAVYNODE_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/setup/so-functions b/setup/so-functions index 381c4b497..38505e784 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1704,7 +1704,7 @@ process_installtype() { elif [ "$install_type" = 'SEARCHNODE' ]; then is_searchnode=true elif [ "$install_type" = 'HEAVYNODE' ]; then - is_heavy=true + is_heavynode=true elif [ "$install_type" = 'FLEET' ]; then is_fleet=true elif [ "$install_type" = 'IDH' ]; then diff --git a/setup/so-setup b/setup/so-setup index 6825afc9d..45a124e7a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -637,5 +637,5 @@ if ! [[ -f $install_opt_file ]]; then verify_setup fi - # Need to make sure the latest install is located on the web server of the manager to check the versions and donwload the code if required + # Need to make sure the latest install is located on the web server of the manager to check the versions and download the code if required fi From fd2068be8867516fe0a642732f0bac57575ef663 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 2 Mar 2023 15:23:53 -0500 Subject: [PATCH 239/470] Switch back to kilo images --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 197c4d5c2..7f2e97617 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0 +2.4.0-kilo From adb925b4d613eda648856cf57d6d08a10c19ce94 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 3 Mar 2023 12:48:42 -0500 Subject: [PATCH 240/470] enable zeek vlan script --- salt/zeek/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index ec3eef3a2..64a332746 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -44,6 +44,7 @@ zeek: - protocols/ssh/detect-bruteforcing - protocols/ssh/interesting-hostnames - protocols/http/detect-sqli + - protocols/conn/vlan-logging - frameworks/files/hash-all-files - frameworks/files/detect-MHR - policy/frameworks/notice/extend-email/hostnames From 9940a36722242a0e5787d4a04681e4d585d095a5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 3 Mar 2023 15:22:43 -0500 Subject: [PATCH 241/470] update Elasticsearch ingest for Zeek conn vlan field --- salt/elasticsearch/files/ingest/zeek.conn | 29 ++++++++++++----------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn index 73ce29c1d..8b458e032 100644 --- a/salt/elasticsearch/files/ingest/zeek.conn +++ b/salt/elasticsearch/files/ingest/zeek.conn @@ -2,27 +2,28 @@ "description" : "zeek.conn", "processors" : [ { "set": { "field": "event.dataset", "value": "conn" } }, - { "remove": { "field": ["host"], "ignore_failure": true } }, - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "remove": { "field": ["host"], "ignore_failure": true } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_missing": true } }, { "rename": { "field": "message2.service", "target_field": "network.protocol", "ignore_missing": true } }, { "rename": { "field": "message2.duration", "target_field": "event.duration", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_bytes", "target_field": "client.bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_bytes", "target_field": "server.bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.conn_state", "target_field": "connection.state", "ignore_missing": true } }, - { "rename": { "field": "message2.local_orig", "target_field": "connection.local.originator", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_bytes", "target_field": "client.bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_bytes", "target_field": "server.bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.conn_state", "target_field": "connection.state", "ignore_missing": true } }, + { "rename": { "field": "message2.local_orig", "target_field": "connection.local.originator", "ignore_missing": true } }, { "rename": { "field": "message2.local_resp", "target_field": "connection.local.responder", "ignore_missing": true } }, - { "rename": { "field": "message2.missed_bytes", "target_field": "connection.bytes.missed", "ignore_missing": true } }, + { "rename": { "field": "message2.missed_bytes", "target_field": "connection.bytes.missed", "ignore_missing": true } }, { "rename": { "field": "message2.history", "target_field": "connection.history", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_pkts", "target_field": "client.packets", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, - { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_pkts", "target_field": "client.packets", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_ip_bytes", "target_field": "client.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_pkts", "target_field": "server.packets", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_ip_bytes", "target_field": "server.ip_bytes", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_mac_oui", "target_field": "client.oui", "ignore_missing": true } }, { "rename": { "field": "message2.tunnel_parents", "target_field": "log.id.tunnel_parents", "ignore_missing": true } }, - { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code","ignore_missing": true } }, - { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, + { "rename": { "field": "message2.orig_cc", "target_field": "client.country_code", "ignore_missing": true } }, + { "rename": { "field": "message2.resp_cc", "target_field": "server.country_code", "ignore_missing": true } }, { "rename": { "field": "message2.sensorname", "target_field": "observer.name", "ignore_missing": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_missing": true } }, { "script": { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } }, { "set": { "if": "ctx.connection?.state == 'S0'", "field": "connection.state_description", "value": "Connection attempt seen, no reply" } }, { "set": { "if": "ctx.connection?.state == 'S1'", "field": "connection.state_description", "value": "Connection established, not terminated" } }, From e24296d5365ceaf2b0d25fc28ec020a59be989e5 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 3 Mar 2023 15:23:43 -0500 Subject: [PATCH 242/470] add SOC Dashboards groupby for Zeek conn vlan field --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9a468902c..a2b6e43e6 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1419,7 +1419,7 @@ soc: query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Connections description: Network connection metadata - query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' + query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui | groupby network.vlan.id' - name: DCE_RPC description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' From 4a2e75dd8c597bbab364b730c04452deae10caa7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 3 Mar 2023 17:16:45 -0500 Subject: [PATCH 243/470] fix formatting --- salt/zeek/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 64a332746..18e8a4d8a 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -37,6 +37,7 @@ zeek: - protocols/ftp/detect - protocols/conn/known-hosts - protocols/conn/known-services + - protocols/conn/vlan-logging - protocols/ssl/known-certs - protocols/ssl/validate-certs - protocols/ssl/log-hostcerts-only @@ -44,7 +45,6 @@ zeek: - protocols/ssh/detect-bruteforcing - protocols/ssh/interesting-hostnames - protocols/http/detect-sqli - - protocols/conn/vlan-logging - frameworks/files/hash-all-files - frameworks/files/detect-MHR - policy/frameworks/notice/extend-email/hostnames From f0db5cf6571797937006c3fac88336505f117783 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 4 Mar 2023 11:50:01 -0500 Subject: [PATCH 244/470] Fixup osquery SO Hunt link --- salt/kibana/files/live_query_fixup.sh | 6 +++--- salt/kibana/init.sls | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/salt/kibana/files/live_query_fixup.sh b/salt/kibana/files/live_query_fixup.sh index 5026e3a16..9a03683db 100644 --- a/salt/kibana/files/live_query_fixup.sh +++ b/salt/kibana/files/live_query_fixup.sh @@ -13,10 +13,10 @@ docker exec so-kibana grep -q "https://{{ GLOBALS.url_base }}" /usr/share/kibana if [ $? -eq 0 ] then #Do Nothing, pattern has been found - echo "Pattern found, exiting..." + echo "SO Hunt link found, exiting without changes..." else - echo "Pattern not found..." - docker exec so-kibana sed -i 's|href:h|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js + echo "SO Hunt link not found, adding link and restarting Kibana container..." + docker exec so-kibana sed -i 's|href:g|href:"https://{{ GLOBALS.url_base }}/#/hunt?q=action_id%3A%20"+e+"%20%7C%20groupby%20action_id%20action_data.query%20%7C%20groupby%20host.hostname%20%22metadata.input.beats.host.ip%22"|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js docker exec so-kibana sed -i 's|View in Discover|View in SO - Hunt|g' /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js docker exec so-kibana rm /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js.br docker exec so-kibana gzip -kf /usr/share/kibana/x-pack/plugins/osquery/target/public/osquery.chunk.0.js diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index a974dcf48..ba1413c74 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -108,6 +108,12 @@ append_so-kibana_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-kibana +osquery_hunt_link: + cmd.script: + - source: salt://kibana/files/live_query_fixup.sh + - cwd: /root + - template: jinja + {% else %} {{sls}}_state_not_allowed: From 9db6df0f14887eb3c3c6dbac7273444ad27b532b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 4 Mar 2023 15:19:19 -0500 Subject: [PATCH 245/470] Initial updates for 2.4 fieldnames --- salt/soc/defaults.yaml | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 9a468902c..14e8182f3 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -7,19 +7,19 @@ soc: icon: fa-crosshairs target: links: - - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - '/#/hunt?q="{value|escape}" | groupby event.module* event.dataset' - name: actionCorrelate description: actionCorrelateHelp icon: fab fa-searchengin target: '' links: - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' - - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module* event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module* event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module* event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module* event.dataset' - name: actionPcap description: actionPcapHelp icon: fa-stream @@ -560,7 +560,7 @@ soc: - destination.geo.country_iso_code - user.name - source.ip - ':sysmon:': + ':windows.sysmon_operational:': - soc_timestamp - event.dataset - process.executable @@ -1121,7 +1121,7 @@ soc: showSubtitle: true - name: Log Type description: Show all events grouped by module and dataset - query: '* | groupby event.module event.dataset' + query: '* | groupby event.module* event.dataset' showSubtitle: true - name: SOC Auth description: Users authenticated to SOC grouped by IP address and identity @@ -1145,11 +1145,11 @@ soc: showSubtitle: true - name: Sysmon Events description: Show all Sysmon logs grouped by event type - query: 'event.module:sysmon | groupby event.dataset' + query: 'event.dataset: windows.sysmon_operational | groupby event.action' showSubtitle: true - name: Sysmon Usernames description: Show all Sysmon logs grouped by username - query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + query: 'event.dataset: windows.sysmon_operational | groupby event.action, user.name.keyword' showSubtitle: true - name: Strelka description: Show all Strelka logs grouped by file type @@ -1380,7 +1380,7 @@ soc: queries: - name: Overview description: Overview of all events - query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module | groupby event.dataset | groupby event.module | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: SOC Auth description: SOC (Security Onion Console) authentication logs query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent' @@ -1389,28 +1389,28 @@ soc: query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type' - name: Alerts description: Overview of all alerts - query: 'event.dataset:alert | groupby event.module | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:alert | groupby event.module* | groupby rule.name | groupby event.severity | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: NIDS Alerts description: NIDS (Network Intrusion Detection System) alerts query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Sysmon Overview description: Overview of all Sysmon data types - query: 'event.module:sysmon | groupby -sankey event.dataset winlog.computer_name | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby event.dataset | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.action | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Sysmon Registry description: Registry changes captured by Sysmon - query: '(event.dataset:registry_create_delete OR event.dataset:registry_value_set OR event.dataset:registry_key_value_rename) | groupby -sankey event.dataset winlog.computer_name | groupby winlog.computer_name | groupby event.dataset | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.executable winlog.event_data.TargetObject' + query: '(event.dataset:windows.sysmon_operational AND event.action:Registry*) | groupby -sankey event.action host.name | groupby host.name | groupby event.action | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - name: Sysmon DNS description: DNS queries captured by Sysmon - query: 'event.dataset:dns_query | groupby -sankey winlog.computer_name dns.query.name | groupby winlog.computer_name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' + query: 'event.dataset:windows.sysmon_operational AND event.action:"Dns query (rule: DnsQuery)" | groupby -sankey host.name dns.query.name | groupby host.name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' - name: Sysmon Process description: Process activity captured by Sysmon - query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey winlog.computer_name user.name | groupby winlog.computer_name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey host.name user.name | groupby host.name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - name: Sysmon File description: File activity captured by Sysmon - query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey winlog.computer_name process.executable | groupby winlog.computer_name | groupby event.dataset | groupby file.target | groupby process.executable' + query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset | groupby file.target | groupby process.executable' - name: Sysmon Network description: Network activity captured by Sysmon - query: 'event.dataset:network_connection | groupby -sankey winlog.computer_name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:network_connection | groupby -sankey host.name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' @@ -1611,7 +1611,7 @@ soc: - acknowledged queries: - name: 'Group By Name, Module' - query: '* | groupby rule.name event.module event.severity_label' + query: '* | groupby rule.name event.module* event.severity_label' - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' - name: 'Group By Source IP, Name' From 19ab2a5a4667b1d162acca5f45626603eab75ccd Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 5 Mar 2023 05:57:52 -0500 Subject: [PATCH 246/470] rename suricata vlan field to network.vlan.id --- .../files/ingest/suricata.common | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 6e956d196..4dea07b8b 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -1,19 +1,20 @@ { "description" : "suricata.common", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename":{ "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, - { "rename":{ "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, - { "rename":{ "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, - { "rename":{ "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, - { "rename":{ "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, - { "rename":{ "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, - { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, - { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, + { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, - { "remove":{ "field": "agent", "ignore_failure": true } }, + { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] } From a2bda07820099440cd79c74d8e2158e75706e136 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 5 Mar 2023 15:24:11 -0500 Subject: [PATCH 247/470] add VLAN dashboard --- salt/soc/defaults.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index a2b6e43e6..3fe2f4567 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1419,7 +1419,7 @@ soc: query: 'event.dataset:notice | groupby -sankey notice.note destination.ip | groupby notice.note | groupby notice.message | groupby notice.sub_message | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Connections description: Network connection metadata - query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui | groupby network.vlan.id' + query: 'event.dataset:conn | groupby source.ip | groupby destination.ip | groupby destination.port | groupby -sankey destination.port network.protocol | groupby network.protocol | groupby network.transport | groupby connection.history | groupby connection.state | groupby connection.state_description | groupby source.geo.country_name | groupby destination.geo.country_name | groupby client.ip_bytes | groupby server.ip_bytes | groupby client.oui' - name: DCE_RPC description: DCE_RPC (Distributed Computing Environment / Remote Procedure Calls) network metadata query: 'event.dataset:dce_rpc | groupby -sankey dce_rpc.endpoint dce_rpc.operation | groupby dce_rpc.endpoint | groupby dce_rpc.operation | groupby dce_rpc.named_pipe | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' @@ -1555,6 +1555,9 @@ soc: - name: Firewall description: Firewall logs query: 'event.dataset:firewall | groupby -sankey rule.action interface.name | groupby rule.action | groupby interface.name | groupby network.transport | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: VLAN + description: VLAN (Virtual Local Area Network) tagged logs + query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' job: alerts: advanced: false From b6d55bedc8cddae905736ac3cfa1eb11e6da321d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 6 Mar 2023 13:50:17 -0500 Subject: [PATCH 248/470] make influxdb token accessible to all nodes --- pillar/top.sls | 1 + salt/influxdb/curl.config.jinja | 2 +- salt/influxdb/init.sls | 2 +- salt/soc/defaults.map.jinja | 2 +- salt/telegraf/etc/telegraf.conf | 2 +- setup/so-functions | 7 +++++-- 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 2f7894769..60cface84 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -10,6 +10,7 @@ base: - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + - influxdb.token - node_data.ips '* and not *_eval and not *_import': diff --git a/salt/influxdb/curl.config.jinja b/salt/influxdb/curl.config.jinja index 9f636e851..d994b05d9 100644 --- a/salt/influxdb/curl.config.jinja +++ b/salt/influxdb/curl.config.jinja @@ -1 +1 @@ -header = "Authorization: Token {{ salt['pillar.get']('secrets:influx_token') }}" \ No newline at end of file +header = "Authorization: Token {{ salt['pillar.get']('influxdb:token') }}" diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index bd894a6d4..b6190fdfd 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-eval', 'so-import'] %} {% set PASSWORD = salt['pillar.get']('secrets:influx_pass') %} -{% set TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% set TOKEN = salt['pillar.get']('influxdb:token') %} include: - salt.minion diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja index e16f047e4..85db938cc 100644 --- a/salt/soc/defaults.map.jinja +++ b/salt/soc/defaults.map.jinja @@ -1,7 +1,7 @@ {% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'docker/docker.map.jinja' import DOCKER -%} -{% set INFLUXDB_TOKEN = salt['pillar.get']('secrets:influx_token') %} +{% set INFLUXDB_TOKEN = salt['pillar.get']('influxdb:token') %} {% import_text 'influxdb/metrics_link.txt' as METRICS_LINK %} {% for module, application_url in GLOBALS.application_urls.items() %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index 61843da5f..f2a89baf4 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -2,7 +2,7 @@ {%- set INFLUXDBHOST = GLOBALS.influxdb_host %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set TOKEN = salt['pillar.get']('secrets:influx_token', '') %} +{%- set TOKEN = salt['pillar.get']('influxdb:token', '') %} {%- set NODEIP = GLOBALS.node_ip %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set ZEEK_ENABLED = salt['pillar.get']('zeek:enabled', True) %} diff --git a/setup/so-functions b/setup/so-functions index 639657416..78033bda5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -899,6 +899,7 @@ create_manager_pillars() { kratos_pillar soc_pillar idh_pillar + influxdb_pillar } @@ -1538,6 +1539,9 @@ influxdb_pillar() { title "Create the influxdb pillar file" touch $adv_influxdb_pillar_file touch $influxdb_pillar_file + printf '%s\n'\ + "influxdb:"\ + " token: $INFLUXTOKEN" > $local_salt_dir/pillar/influxdb/token.sls } make_some_dirs() { @@ -2066,8 +2070,7 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ - " influx_pass: $INFLUXPASS"\ - " influx_token: $INFLUXTOKEN" > $local_salt_dir/pillar/secrets.sls + " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls fi } From a6db2d45021d318d5a5cf923dddf1c835acbbede Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 6 Mar 2023 15:50:09 -0500 Subject: [PATCH 249/470] Fleet - setup ES output for all Managers --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index b7bf1b3c3..9c2d60eca 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -24,7 +24,7 @@ mkdir -p /opt/so/conf/elastic-fleet/certs cp /etc/ssl/certs/intca.crt /opt/so/conf/elastic-fleet/certs cp /etc/pki/elasticfleet* /opt/so/conf/elastic-fleet/certs -{% if grains.role in ['so-import', 'so-standalone', 'so-eval'] %} +{% if grains.role in ['so-import', 'so-standalone', 'so-eval', 'so-manager', 'so-managersearch'] %} # Add SO-Manager Elasticsearch Ouput ESCACRT=$(openssl x509 -in /opt/so/conf/elastic-fleet/certs/intca.crt) JSON_STRING=$( jq -n \ From 194565936956601c1920204d23af9f97926d7ba9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 6 Mar 2023 15:59:08 -0500 Subject: [PATCH 250/470] Error is too common, found even in dashboard titles --- setup/so-verify | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-verify b/setup/so-verify index 8c68852be..20aedb890 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -32,7 +32,7 @@ log_has_errors() { # Ignore Failed: 0 since that is the salt state output, and we detect state failures # via Result: False already. - grep -E "FAILED|Failed|failed|ERROR|Error|Result: False" "$setup_log" | \ + grep -E "FAILED|Failed|failed|ERROR|Result: False" "$setup_log" | \ grep -vE "The Salt Master has cached the public key for this node" | \ grep -vE "Minion failed to authenticate with the master" | \ grep -vE "Failed to connect to ::1" | \ From f77068f73f29dbecf4f5264c47dbd9559f9896ac Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 6 Mar 2023 18:37:37 -0500 Subject: [PATCH 251/470] setup and so-verify/so-status interop --- salt/common/tools/sbin/so-status | 17 ++++++++++++++--- setup/so-functions | 4 ++++ setup/so-verify | 19 ++++++++++++++----- 3 files changed, 32 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index da20fcacd..ec0ce94b1 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -24,11 +24,13 @@ def showUsage(options, args): print(' -h - Prints this usage information') print(' -q - Suppress output; useful for automation of exit code value') print(' -j - Output in JSON format') + print(' -i - Consider the installation outcome regardless of whether the system appears healthy') print('') print(' Exit codes:') print(' 0 - Success, system appears to be running correctly') print(' 1 - Error, one or more subsystems are not running') print(' 2 - System is starting') + print(' 3 - System installation encountered errors') print(' 99 - Installation in progress') sys.exit(1) @@ -38,6 +40,12 @@ def fail(msg): sys.exit(1) +def check_installation_status(options, console): + if "-i" in options and os.path.isfile('/root/failure'): + return 3 + return 0 + + def check_system_status(options, console): code = 0 highstate_end_time = 0 @@ -64,6 +72,8 @@ def output(options, console, code, data): elif "-q" not in options: if code == 2: console.print(" [bold yellow]:hourglass: [bold white]System appears to be starting. No highstate has completed since the system was restarted.") + if code == 3: + console.print(" [bold red]:exclamation: [bold white]Installation encountered errors.") elif code == 99: console.print(" [bold red]:exclamation: [bold white]Installation does not appear to be complete. A highstate has not fully completed.") else: @@ -137,7 +147,9 @@ def check_container_status(options, console): def check_status(options, console): container_list = [] - code = check_system_status(options, console) + code = check_installation_status(options, console) + if code == 0: + code = check_system_status(options, console) if code == 0: code, container_list = check_container_status(options, console) output(options, console, code, container_list) @@ -150,9 +162,8 @@ def main(): for option in args: if option.startswith("-"): options.append(option) - args.remove(option) - if len(args) != 0 or "-h" in options: + if "-h" in options or "--help" in options or "-?" in options: showUsage(options, None) if os.environ["USER"] != "root": diff --git a/setup/so-functions b/setup/so-functions index ede539a6c..0ca635872 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1774,6 +1774,10 @@ reinstall_init() { local service_retry_count=20 + # Disregard previous install outcomes + rm -f /root/failure + rm -f /root/success + { # remove all of root's cronjobs logCmd "crontab -r -u root" diff --git a/setup/so-verify b/setup/so-verify index 20aedb890..2ccc76b09 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -81,18 +81,27 @@ status_failed() { main() { exit_code=0 - if log_has_errors; then - echo "WARNING: Errors detected during setup" + if [ -f /root/success ]; then + echo "Successfully completed setup a while ago" + elif [ -f /root/failure ]; then + echo "WARNING: Failed setup a while ago" exit_code=1 + elif log_has_errors; then + echo "WARNING: Errors detected during setup" + exit_code=1 + touch /root/failure elif using_iso && cron_error_in_mail_spool; then - echo "WARNING: Unexpected cron job output in mail spool" + echo "WARNING: Unexpected cron job output in mail spool" exit_code=1 + touch /root/failure elif is_manager_node && status_failed; then echo "WARNING: Containers are not in a healthy state" exit_code=1 + touch /root/failure else - echo "Successfully completed setup!" - fi + echo "Successfully completed setup!" + touch /root/success + fi exit $exit_code } From b641dc37b6a133f1c965d3168f9ee49f1b8a5a77 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 6 Mar 2023 18:56:04 -0500 Subject: [PATCH 252/470] use high error code to flag an unrecoverable error --- salt/common/tools/sbin/so-status | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index ec0ce94b1..8b8dcb6ba 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -30,8 +30,8 @@ def showUsage(options, args): print(' 0 - Success, system appears to be running correctly') print(' 1 - Error, one or more subsystems are not running') print(' 2 - System is starting') - print(' 3 - System installation encountered errors') print(' 99 - Installation in progress') + print(' 100 - System installation encountered errors') sys.exit(1) @@ -42,7 +42,7 @@ def fail(msg): def check_installation_status(options, console): if "-i" in options and os.path.isfile('/root/failure'): - return 3 + return 100 return 0 @@ -72,10 +72,10 @@ def output(options, console, code, data): elif "-q" not in options: if code == 2: console.print(" [bold yellow]:hourglass: [bold white]System appears to be starting. No highstate has completed since the system was restarted.") - if code == 3: - console.print(" [bold red]:exclamation: [bold white]Installation encountered errors.") elif code == 99: console.print(" [bold red]:exclamation: [bold white]Installation does not appear to be complete. A highstate has not fully completed.") + elif code == 100: + console.print(" [bold red]:exclamation: [bold white]Installation encountered errors.") else: table = Table(title = "Security Onion Status", show_edge = False, safe_box = True, box = box.MINIMAL) table.add_column("Container", justify="right", style="white", no_wrap=True) From 66bb82950539c4585e6968df6d806b259a2a51ad Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 6 Mar 2023 22:18:08 -0500 Subject: [PATCH 253/470] if -i, either success or failure must be present --- salt/common/tools/sbin/so-status | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 8b8dcb6ba..f604f892d 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -41,8 +41,12 @@ def fail(msg): def check_installation_status(options, console): - if "-i" in options and os.path.isfile('/root/failure'): - return 100 + if "-i" in options: + if os.path.isfile('/root/failure'): + return 100 + if os.path.isfile('/root/success'): + return 0 + return 99 return 0 From 086b3bf5286f1bbf6de38551f49c3ffadeaf004d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 15:14:53 +0000 Subject: [PATCH 254/470] Add Curator to so-status output --- salt/curator/init.sls | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index a06696b0f..27c8d10c8 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -145,6 +145,23 @@ so-curator: - watch: - file: curconf +append_so-curator_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-curator + - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf + {% if not CURATOROPTIONS.start %} +so-curator_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-curator$ + {% else %} +delete_so-curator_so-status.disabled: + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-curator$ + {% endif %} + so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 From 14aa9ac5c90ec591d5b8d65eb90eaff83e7f7d59 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 7 Mar 2023 10:35:49 -0500 Subject: [PATCH 255/470] apply elastic-fleet state to managers --- salt/top.sls | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 69d99f6de..f98eee725 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -149,6 +149,7 @@ base: - soctopus - playbook - elastic-fleet.install_agent_grid + - elastic-fleet - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -199,9 +200,9 @@ base: - schedule - soctopus - playbook - - docker_clean - - elastic-fleet - elastic-fleet.install_agent_grid + - elastic-fleet + - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': - match: compound @@ -260,6 +261,7 @@ base: - soctopus - playbook - elastic-fleet.install_agent_grid + - elastic-fleet - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -319,9 +321,9 @@ base: - suricata - zeek - schedule - - docker_clean - elastic-fleet.install_agent_grid - elastic-fleet + - docker_clean '*_receiver and G@saltversion:{{saltversion}}': - match: compound From df94e830c50b0cb8eceb9b03e081c05350d6cd90 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 16:15:41 +0000 Subject: [PATCH 256/470] Remove unnecessary Curator action files --- salt/curator/files/action/so-aws-close.yml | 27 ----------------- salt/curator/files/action/so-aws-delete.yml | 27 ----------------- salt/curator/files/action/so-aws-warm.yml | 29 ------------------ salt/curator/files/action/so-azure-close.yml | 27 ----------------- salt/curator/files/action/so-azure-delete.yml | 27 ----------------- salt/curator/files/action/so-azure-warm.yml | 29 ------------------ .../files/action/so-barracuda-close.yml | 27 ----------------- .../files/action/so-barracuda-delete.yml | 27 ----------------- .../files/action/so-barracuda-warm.yml | 29 ------------------ salt/curator/files/action/so-beats-warm.yml | 29 ------------------ .../files/action/so-bluecoat-close.yml | 27 ----------------- .../files/action/so-bluecoat-delete.yml | 27 ----------------- .../curator/files/action/so-bluecoat-warm.yml | 29 ------------------ salt/curator/files/action/so-cef-close.yml | 27 ----------------- salt/curator/files/action/so-cef-delete.yml | 27 ----------------- salt/curator/files/action/so-cef-warm.yml | 29 ------------------ .../files/action/so-checkpoint-close.yml | 27 ----------------- .../files/action/so-checkpoint-delete.yml | 27 ----------------- .../files/action/so-checkpoint-warm.yml | 29 ------------------ salt/curator/files/action/so-cisco-close.yml | 27 ----------------- salt/curator/files/action/so-cisco-delete.yml | 27 ----------------- salt/curator/files/action/so-cisco-warm.yml | 29 ------------------ .../files/action/so-cyberark-close.yml | 27 ----------------- .../files/action/so-cyberark-delete.yml | 27 ----------------- .../curator/files/action/so-cyberark-warm.yml | 29 ------------------ .../curator/files/action/so-cylance-close.yml | 27 ----------------- .../files/action/so-cylance-delete.yml | 27 ----------------- salt/curator/files/action/so-cylance-warm.yml | 29 ------------------ .../files/action/so-elasticsearch-warm.yml | 29 ------------------ .../curator/files/action/so-endgame-close.yml | 27 ----------------- .../files/action/so-endgame-delete.yml | 26 ---------------- salt/curator/files/action/so-endgame-warm.yml | 29 ------------------ salt/curator/files/action/so-f5-close.yml | 28 ----------------- salt/curator/files/action/so-f5-delete.yml | 28 ----------------- salt/curator/files/action/so-f5-warm.yml | 30 ------------------- .../curator/files/action/so-firewall-warm.yml | 30 ------------------- .../files/action/so-fortinet-close.yml | 28 ----------------- .../files/action/so-fortinet-delete.yml | 28 ----------------- .../curator/files/action/so-fortinet-warm.yml | 30 ------------------- salt/curator/files/action/so-gcp-close.yml | 28 ----------------- salt/curator/files/action/so-gcp-delete.yml | 28 ----------------- salt/curator/files/action/so-gcp-warm.yml | 30 ------------------- .../action/so-google_workspace-close.yml | 28 ----------------- .../action/so-google_workspace-delete.yml | 28 ----------------- .../files/action/so-google_workspace-warm.yml | 30 ------------------- salt/curator/files/action/so-ids-warm.yml | 30 ------------------- .../curator/files/action/so-imperva-close.yml | 28 ----------------- .../files/action/so-imperva-delete.yml | 27 ----------------- salt/curator/files/action/so-imperva-warm.yml | 29 ------------------ salt/curator/files/action/so-import-warm.yml | 29 ------------------ .../files/action/so-infoblox-close.yml | 27 ----------------- .../files/action/so-infoblox-delete.yml | 27 ----------------- .../curator/files/action/so-infoblox-warm.yml | 29 ------------------ .../curator/files/action/so-juniper-close.yml | 27 ----------------- .../files/action/so-juniper-delete.yml | 27 ----------------- salt/curator/files/action/so-juniper-warm.yml | 29 ------------------ salt/curator/files/action/so-kibana-warm.yml | 29 ------------------ salt/curator/files/action/so-kratos-warm.yml | 29 ------------------ .../curator/files/action/so-logstash-warm.yml | 29 ------------------ .../files/action/so-microsoft-close.yml | 27 ----------------- .../files/action/so-microsoft-delete.yml | 27 ----------------- .../files/action/so-microsoft-warm.yml | 29 ------------------ salt/curator/files/action/so-misp-close.yml | 27 ----------------- salt/curator/files/action/so-misp-delete.yml | 27 ----------------- salt/curator/files/action/so-misp-warm.yml | 29 ------------------ salt/curator/files/action/so-netflow-warm.yml | 29 ------------------ .../files/action/so-netscout-close.yml | 27 ----------------- .../files/action/so-netscout-delete.yml | 27 ----------------- .../curator/files/action/so-netscout-warm.yml | 29 ------------------ salt/curator/files/action/so-o365-close.yml | 27 ----------------- salt/curator/files/action/so-o365-delete.yml | 27 ----------------- salt/curator/files/action/so-o365-warm.yml | 29 ------------------ salt/curator/files/action/so-okta-close.yml | 27 ----------------- salt/curator/files/action/so-okta-warm.yml | 29 ------------------ salt/curator/files/action/so-okta.delete.yml | 27 ----------------- .../files/action/so-osquery-delete.yml | 2 +- salt/curator/files/action/so-osquery-warm.yml | 29 ------------------ salt/curator/files/action/so-ossec-warm.yml | 29 ------------------ .../files/action/so-proofpoint-close.yml | 27 ----------------- .../files/action/so-proofpoint-delete.yml | 27 ----------------- .../files/action/so-proofpoint-warm.yml | 29 ------------------ .../curator/files/action/so-radware-close.yml | 27 ----------------- .../files/action/so-radware-delete.yml | 27 ----------------- salt/curator/files/action/so-radware-warm.yml | 29 ------------------ salt/curator/files/action/so-redis-warm.yml | 29 ------------------ salt/curator/files/action/so-snort-close.yml | 27 ----------------- salt/curator/files/action/so-snort-delete.yml | 27 ----------------- salt/curator/files/action/so-snort-warm.yml | 29 ------------------ salt/curator/files/action/so-snyk-close.yml | 27 ----------------- salt/curator/files/action/so-snyk-delete.yml | 27 ----------------- salt/curator/files/action/so-snyk-warm.yml | 29 ------------------ .../files/action/so-sonicwall-close.yml | 27 ----------------- .../files/action/so-sonicwall-delete.yml | 27 ----------------- .../files/action/so-sonicwall-warm.yml | 29 ------------------ salt/curator/files/action/so-sophos-close.yml | 27 ----------------- .../curator/files/action/so-sophos-delete.yml | 27 ----------------- salt/curator/files/action/so-sophos-warm.yml | 29 ------------------ salt/curator/files/action/so-strelka-warm.yml | 29 ------------------ salt/curator/files/action/so-syslog-warm.yml | 29 ------------------ salt/curator/files/action/so-tomcat-close.yml | 27 ----------------- .../curator/files/action/so-tomcat-delete.yml | 27 ----------------- salt/curator/files/action/so-tomcat-warm.yml | 29 ------------------ salt/curator/files/action/so-zeek-warm.yml | 29 ------------------ .../curator/files/action/so-zscaler-close.yml | 27 ----------------- .../files/action/so-zscaler-delete.yml | 27 ----------------- salt/curator/files/action/so-zscaler-warm.yml | 29 ------------------ 106 files changed, 1 insertion(+), 2940 deletions(-) delete mode 100644 salt/curator/files/action/so-aws-close.yml delete mode 100644 salt/curator/files/action/so-aws-delete.yml delete mode 100644 salt/curator/files/action/so-aws-warm.yml delete mode 100644 salt/curator/files/action/so-azure-close.yml delete mode 100644 salt/curator/files/action/so-azure-delete.yml delete mode 100644 salt/curator/files/action/so-azure-warm.yml delete mode 100644 salt/curator/files/action/so-barracuda-close.yml delete mode 100644 salt/curator/files/action/so-barracuda-delete.yml delete mode 100644 salt/curator/files/action/so-barracuda-warm.yml delete mode 100644 salt/curator/files/action/so-beats-warm.yml delete mode 100644 salt/curator/files/action/so-bluecoat-close.yml delete mode 100644 salt/curator/files/action/so-bluecoat-delete.yml delete mode 100644 salt/curator/files/action/so-bluecoat-warm.yml delete mode 100644 salt/curator/files/action/so-cef-close.yml delete mode 100644 salt/curator/files/action/so-cef-delete.yml delete mode 100644 salt/curator/files/action/so-cef-warm.yml delete mode 100644 salt/curator/files/action/so-checkpoint-close.yml delete mode 100644 salt/curator/files/action/so-checkpoint-delete.yml delete mode 100644 salt/curator/files/action/so-checkpoint-warm.yml delete mode 100644 salt/curator/files/action/so-cisco-close.yml delete mode 100644 salt/curator/files/action/so-cisco-delete.yml delete mode 100644 salt/curator/files/action/so-cisco-warm.yml delete mode 100644 salt/curator/files/action/so-cyberark-close.yml delete mode 100644 salt/curator/files/action/so-cyberark-delete.yml delete mode 100644 salt/curator/files/action/so-cyberark-warm.yml delete mode 100644 salt/curator/files/action/so-cylance-close.yml delete mode 100644 salt/curator/files/action/so-cylance-delete.yml delete mode 100644 salt/curator/files/action/so-cylance-warm.yml delete mode 100644 salt/curator/files/action/so-elasticsearch-warm.yml delete mode 100644 salt/curator/files/action/so-endgame-close.yml delete mode 100644 salt/curator/files/action/so-endgame-delete.yml delete mode 100644 salt/curator/files/action/so-endgame-warm.yml delete mode 100644 salt/curator/files/action/so-f5-close.yml delete mode 100644 salt/curator/files/action/so-f5-delete.yml delete mode 100644 salt/curator/files/action/so-f5-warm.yml delete mode 100644 salt/curator/files/action/so-firewall-warm.yml delete mode 100644 salt/curator/files/action/so-fortinet-close.yml delete mode 100644 salt/curator/files/action/so-fortinet-delete.yml delete mode 100644 salt/curator/files/action/so-fortinet-warm.yml delete mode 100644 salt/curator/files/action/so-gcp-close.yml delete mode 100644 salt/curator/files/action/so-gcp-delete.yml delete mode 100644 salt/curator/files/action/so-gcp-warm.yml delete mode 100644 salt/curator/files/action/so-google_workspace-close.yml delete mode 100644 salt/curator/files/action/so-google_workspace-delete.yml delete mode 100644 salt/curator/files/action/so-google_workspace-warm.yml delete mode 100644 salt/curator/files/action/so-ids-warm.yml delete mode 100644 salt/curator/files/action/so-imperva-close.yml delete mode 100644 salt/curator/files/action/so-imperva-delete.yml delete mode 100644 salt/curator/files/action/so-imperva-warm.yml delete mode 100644 salt/curator/files/action/so-import-warm.yml delete mode 100644 salt/curator/files/action/so-infoblox-close.yml delete mode 100644 salt/curator/files/action/so-infoblox-delete.yml delete mode 100644 salt/curator/files/action/so-infoblox-warm.yml delete mode 100644 salt/curator/files/action/so-juniper-close.yml delete mode 100644 salt/curator/files/action/so-juniper-delete.yml delete mode 100644 salt/curator/files/action/so-juniper-warm.yml delete mode 100644 salt/curator/files/action/so-kibana-warm.yml delete mode 100644 salt/curator/files/action/so-kratos-warm.yml delete mode 100644 salt/curator/files/action/so-logstash-warm.yml delete mode 100644 salt/curator/files/action/so-microsoft-close.yml delete mode 100644 salt/curator/files/action/so-microsoft-delete.yml delete mode 100644 salt/curator/files/action/so-microsoft-warm.yml delete mode 100644 salt/curator/files/action/so-misp-close.yml delete mode 100644 salt/curator/files/action/so-misp-delete.yml delete mode 100644 salt/curator/files/action/so-misp-warm.yml delete mode 100644 salt/curator/files/action/so-netflow-warm.yml delete mode 100644 salt/curator/files/action/so-netscout-close.yml delete mode 100644 salt/curator/files/action/so-netscout-delete.yml delete mode 100644 salt/curator/files/action/so-netscout-warm.yml delete mode 100644 salt/curator/files/action/so-o365-close.yml delete mode 100644 salt/curator/files/action/so-o365-delete.yml delete mode 100644 salt/curator/files/action/so-o365-warm.yml delete mode 100644 salt/curator/files/action/so-okta-close.yml delete mode 100644 salt/curator/files/action/so-okta-warm.yml delete mode 100644 salt/curator/files/action/so-okta.delete.yml delete mode 100644 salt/curator/files/action/so-osquery-warm.yml delete mode 100644 salt/curator/files/action/so-ossec-warm.yml delete mode 100644 salt/curator/files/action/so-proofpoint-close.yml delete mode 100644 salt/curator/files/action/so-proofpoint-delete.yml delete mode 100644 salt/curator/files/action/so-proofpoint-warm.yml delete mode 100644 salt/curator/files/action/so-radware-close.yml delete mode 100644 salt/curator/files/action/so-radware-delete.yml delete mode 100644 salt/curator/files/action/so-radware-warm.yml delete mode 100644 salt/curator/files/action/so-redis-warm.yml delete mode 100644 salt/curator/files/action/so-snort-close.yml delete mode 100644 salt/curator/files/action/so-snort-delete.yml delete mode 100644 salt/curator/files/action/so-snort-warm.yml delete mode 100644 salt/curator/files/action/so-snyk-close.yml delete mode 100644 salt/curator/files/action/so-snyk-delete.yml delete mode 100644 salt/curator/files/action/so-snyk-warm.yml delete mode 100644 salt/curator/files/action/so-sonicwall-close.yml delete mode 100644 salt/curator/files/action/so-sonicwall-delete.yml delete mode 100644 salt/curator/files/action/so-sonicwall-warm.yml delete mode 100644 salt/curator/files/action/so-sophos-close.yml delete mode 100644 salt/curator/files/action/so-sophos-delete.yml delete mode 100644 salt/curator/files/action/so-sophos-warm.yml delete mode 100644 salt/curator/files/action/so-strelka-warm.yml delete mode 100644 salt/curator/files/action/so-syslog-warm.yml delete mode 100644 salt/curator/files/action/so-tomcat-close.yml delete mode 100644 salt/curator/files/action/so-tomcat-delete.yml delete mode 100644 salt/curator/files/action/so-tomcat-warm.yml delete mode 100644 salt/curator/files/action/so-zeek-warm.yml delete mode 100644 salt/curator/files/action/so-zscaler-close.yml delete mode 100644 salt/curator/files/action/so-zscaler-delete.yml delete mode 100644 salt/curator/files/action/so-zscaler-warm.yml diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml deleted file mode 100644 index 9fb37b879..000000000 --- a/salt/curator/files/action/so-aws-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-aws'].close %} -actions: - 1: - action: close - description: >- - Close aws indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-aws.*|so-aws.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml deleted file mode 100644 index 7291edafb..000000000 --- a/salt/curator/files/action/so-aws-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-aws'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete aws indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-aws.*|so-aws.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml deleted file mode 100644 index e441f1b80..000000000 --- a/salt/curator/files/action/so-aws-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-aws - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml deleted file mode 100644 index f93c59bcb..000000000 --- a/salt/curator/files/action/so-azure-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-azure'].close %} -actions: - 1: - action: close - description: >- - Close azure indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-azure.*|so-azure.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml deleted file mode 100644 index 7bda39f1a..000000000 --- a/salt/curator/files/action/so-azure-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-azure'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete azure indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-azure.*|so-azure.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml deleted file mode 100644 index 22019fd42..000000000 --- a/salt/curator/files/action/so-azure-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-azure'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-azure - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml deleted file mode 100644 index 5613056bf..000000000 --- a/salt/curator/files/action/so-barracuda-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-barracuda'].close %} -actions: - 1: - action: close - description: >- - Close barracuda indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-barracuda.*|so-barracuda.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml deleted file mode 100644 index b4b3626c2..000000000 --- a/salt/curator/files/action/so-barracuda-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-barracuda'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete barracuda indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-barracuda.*|so-barracuda.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml deleted file mode 100644 index e09c91587..000000000 --- a/salt/curator/files/action/so-barracuda-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-barracuda'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-barracuda - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml deleted file mode 100644 index dd403312c..000000000 --- a/salt/curator/files/action/so-beats-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-beats'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-beats - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml deleted file mode 100644 index a59f6db95..000000000 --- a/salt/curator/files/action/so-bluecoat-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-bluecoat'].close %} -actions: - 1: - action: close - description: >- - Close bluecoat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-bluecoat.*|so-bluecoat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml deleted file mode 100644 index 8736948a2..000000000 --- a/salt/curator/files/action/so-bluecoat-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-bluecoat'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete bluecoat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-bluecoat.*|so-bluecoat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml deleted file mode 100644 index fbed0f6c8..000000000 --- a/salt/curator/files/action/so-bluecoat-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-bluecoat'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-bluecoat - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml deleted file mode 100644 index 25ce7067c..000000000 --- a/salt/curator/files/action/so-cef-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cef'].close %} -actions: - 1: - action: close - description: >- - Close cef indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cef.*|so-cef.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml deleted file mode 100644 index a57fb9027..000000000 --- a/salt/curator/files/action/so-cef-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cef'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cef indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cef.*|so-cef.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml deleted file mode 100644 index efcb58cfb..000000000 --- a/salt/curator/files/action/so-cef-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cef'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cef - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml deleted file mode 100644 index 9ba1ae14d..000000000 --- a/salt/curator/files/action/so-checkpoint-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-checkpoint'].close %} -actions: - 1: - action: close - description: >- - Close checkpoint indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-checkpoint.*|so-checkpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml deleted file mode 100644 index 228e6b004..000000000 --- a/salt/curator/files/action/so-checkpoint-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-checkpoint'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete checkpoint indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-checkpoint.*|so-checkpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml deleted file mode 100644 index ae9193e33..000000000 --- a/salt/curator/files/action/so-checkpoint-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-checkpoint'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-checkpoint - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml deleted file mode 100644 index bf804fc30..000000000 --- a/salt/curator/files/action/so-cisco-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cisco'].close %} -actions: - 1: - action: close - description: >- - Close cisco indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cisco.*|so-cisco.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml deleted file mode 100644 index 974d17a4a..000000000 --- a/salt/curator/files/action/so-cisco-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cisco'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cisco indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cisco.*|so-cisco.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml deleted file mode 100644 index fefc84320..000000000 --- a/salt/curator/files/action/so-cisco-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cisco'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cisco - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml deleted file mode 100644 index 4da7ae0d2..000000000 --- a/salt/curator/files/action/so-cyberark-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cyberark'].close %} -actions: - 1: - action: close - description: >- - Close cyberark indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cyberark.*|so-cyberark.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml deleted file mode 100644 index 1d46f616b..000000000 --- a/salt/curator/files/action/so-cyberark-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cyberark'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cyberark indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cyberark.*|so-cyberark.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml deleted file mode 100644 index c6dc52e4c..000000000 --- a/salt/curator/files/action/so-cyberark-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cyberark'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cyberark - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml deleted file mode 100644 index 957ac468e..000000000 --- a/salt/curator/files/action/so-cylance-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-cylance'].close %} -actions: - 1: - action: close - description: >- - Close cylance indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cylance.*|so-cylance.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml deleted file mode 100644 index caa0a40a6..000000000 --- a/salt/curator/files/action/so-cylance-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-cylance'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete cylance indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-cylance.*|so-cylance.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml deleted file mode 100644 index 3e7d32258..000000000 --- a/salt/curator/files/action/so-cylance-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-cylance'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-cylance - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml deleted file mode 100644 index 5ef8f3df8..000000000 --- a/salt/curator/files/action/so-elasticsearch-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-elasticsearch'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-elasticsearch - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml deleted file mode 100644 index 9d1fbfbfb..000000000 --- a/salt/curator/files/action/so-endgame-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-endgame'].close %} -actions: - 1: - action: close - description: >- - Close Endgame indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml deleted file mode 100644 index a175c1c3b..000000000 --- a/salt/curator/files/action/so-endgame-delete.yml +++ /dev/null @@ -1,26 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-endgame'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete Endgame indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml deleted file mode 100644 index 67e4c545e..000000000 --- a/salt/curator/files/action/so-endgame-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-endgame'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-endgame.*|so-endgame.*|endgame.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml deleted file mode 100644 index da8946d96..000000000 --- a/salt/curator/files/action/so-f5-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-f5'].close %} -actions: - 1: - action: close - description: >- - Close f5 indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-f5.*|so-f5.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml deleted file mode 100644 index 867029640..000000000 --- a/salt/curator/files/action/so-f5-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-f5'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete f5 indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-f5.*|so-f5.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml deleted file mode 100644 index edf17f687..000000000 --- a/salt/curator/files/action/so-f5-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-f5'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-f5 - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml deleted file mode 100644 index d76f52a83..000000000 --- a/salt/curator/files/action/so-firewall-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-firewall'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-firewall - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml deleted file mode 100644 index 1a77b5d73..000000000 --- a/salt/curator/files/action/so-fortinet-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-fortinet'].close %} -actions: - 1: - action: close - description: >- - Close fortinet indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-fortinet.*|so-fortinet.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml deleted file mode 100644 index 2cb530269..000000000 --- a/salt/curator/files/action/so-fortinet-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-fortinet'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete fortinet indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-fortinet.*|so-fortinet.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml deleted file mode 100644 index c4a273315..000000000 --- a/salt/curator/files/action/so-fortinet-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-fortinet'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-fortinet - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml deleted file mode 100644 index 7bc3b3584..000000000 --- a/salt/curator/files/action/so-gcp-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-gcp'].close %} -actions: - 1: - action: close - description: >- - Close gcp indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-gcp.*|so-gcp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml deleted file mode 100644 index de55f350e..000000000 --- a/salt/curator/files/action/so-gcp-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-gcp'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete gcp indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-gcp.*|so-gcp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml deleted file mode 100644 index 17085436d..000000000 --- a/salt/curator/files/action/so-gcp-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-gcp'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-gcp - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml deleted file mode 100644 index 35ccd5375..000000000 --- a/salt/curator/files/action/so-google_workspace-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-google_workspace'].close %} -actions: - 1: - action: close - description: >- - Close google_workspace indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-google_workspace.*|so-google_workspace.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml deleted file mode 100644 index 9ccff9cba..000000000 --- a/salt/curator/files/action/so-google_workspace-delete.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set DELETE_DAYS = CURATORMERGED['so-google_workspace'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete google_workspace indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-google_workspace.*|so-google_workspace.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml deleted file mode 100644 index d1b5874f5..000000000 --- a/salt/curator/files/action/so-google_workspace-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-google_workspace'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-google_workspace - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml deleted file mode 100644 index d6dfc9ce8..000000000 --- a/salt/curator/files/action/so-ids-warm.yml +++ /dev/null @@ -1,30 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set WARM_DAYS = CURATORMERGED['so-ids'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-ids - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml deleted file mode 100644 index e8a86c753..000000000 --- a/salt/curator/files/action/so-imperva-close.yml +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -{%- set cur_close_days = CURATORMERGED['so-imperva'].close %} -actions: - 1: - action: close - description: >- - Close imperva indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-imperva.*|so-imperva.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml deleted file mode 100644 index 17f221d64..000000000 --- a/salt/curator/files/action/so-imperva-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-imperva'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete imperva indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-imperva.*|so-imperva.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml deleted file mode 100644 index 082d553df..000000000 --- a/salt/curator/files/action/so-imperva-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-imperva'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-imperva - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml deleted file mode 100644 index 75d1da2d8..000000000 --- a/salt/curator/files/action/so-import-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-import'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-import - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml deleted file mode 100644 index cc3704c12..000000000 --- a/salt/curator/files/action/so-infoblox-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-infoblox'].close %} -actions: - 1: - action: close - description: >- - Close infoblox indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-infoblox.*|so-infoblox.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml deleted file mode 100644 index f10be3b93..000000000 --- a/salt/curator/files/action/so-infoblox-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-infoblox'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete infoblox indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-infoblox.*|so-infoblox.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml deleted file mode 100644 index 5fe51c7e2..000000000 --- a/salt/curator/files/action/so-infoblox-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-infoblox'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-infoblox - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml deleted file mode 100644 index 62f783322..000000000 --- a/salt/curator/files/action/so-juniper-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-juniper'].close %} -actions: - 1: - action: close - description: >- - Close juniper indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-juniper.*|so-juniper.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml deleted file mode 100644 index b0e5306fc..000000000 --- a/salt/curator/files/action/so-juniper-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-juniper'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete juniper indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-juniper.*|so-juniper.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml deleted file mode 100644 index e441f1b80..000000000 --- a/salt/curator/files/action/so-juniper-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-aws'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-aws - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml deleted file mode 100644 index ce6f6a2c7..000000000 --- a/salt/curator/files/action/so-kibana-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-kibana'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-kibana - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml deleted file mode 100644 index 296c34ea4..000000000 --- a/salt/curator/files/action/so-kratos-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-kratos'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-kratos - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml deleted file mode 100644 index b6a6bc010..000000000 --- a/salt/curator/files/action/so-logstash-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-logstash'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-logstash - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml deleted file mode 100644 index 55b077446..000000000 --- a/salt/curator/files/action/so-microsoft-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-microsoft'].close %} -actions: - 1: - action: close - description: >- - Close microsoft indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-microsoft.*|so-microsoft.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml deleted file mode 100644 index 5f92c23a4..000000000 --- a/salt/curator/files/action/so-microsoft-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-microsoft'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete microsoft indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-microsoft.*|so-microsoft.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml deleted file mode 100644 index 4ce0283ac..000000000 --- a/salt/curator/files/action/so-microsoft-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-microsoft'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-microsoft - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml deleted file mode 100644 index 9f326b54b..000000000 --- a/salt/curator/files/action/so-misp-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-misp'].close %} -actions: - 1: - action: close - description: >- - Close misp indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-misp.*|so-misp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml deleted file mode 100644 index 1b8426344..000000000 --- a/salt/curator/files/action/so-misp-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-misp'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete misp indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-misp.*|so-misp.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml deleted file mode 100644 index 410cc3e4c..000000000 --- a/salt/curator/files/action/so-misp-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-misp'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-misp - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml deleted file mode 100644 index a8c5250b2..000000000 --- a/salt/curator/files/action/so-netflow-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-netflow'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-netflow - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml deleted file mode 100644 index c601f5e45..000000000 --- a/salt/curator/files/action/so-netscout-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-netscout'].close %} -actions: - 1: - action: close - description: >- - Close netscout indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-netscout.*|so-netscout.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml deleted file mode 100644 index d779bfed8..000000000 --- a/salt/curator/files/action/so-netscout-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-netscout'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete netscout indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-netscout.*|so-netscout.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml deleted file mode 100644 index cd101d519..000000000 --- a/salt/curator/files/action/so-netscout-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-netscout'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-netscout - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml deleted file mode 100644 index 0fb7738a7..000000000 --- a/salt/curator/files/action/so-o365-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-o365'].close %} -actions: - 1: - action: close - description: >- - Close o365 indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-o365.*|so-o365.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml deleted file mode 100644 index fe8e5451e..000000000 --- a/salt/curator/files/action/so-o365-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-o365'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete o365 indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-o365.*|so-o365.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml deleted file mode 100644 index 049ab26f2..000000000 --- a/salt/curator/files/action/so-o365-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-o365'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-o365 - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml deleted file mode 100644 index cf7948e8d..000000000 --- a/salt/curator/files/action/so-okta-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-okta'].close %} -actions: - 1: - action: close - description: >- - Close okta indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-okta.*|so-okta.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml deleted file mode 100644 index 775aafdc1..000000000 --- a/salt/curator/files/action/so-okta-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-okta'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-okta - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml deleted file mode 100644 index 4854df292..000000000 --- a/salt/curator/files/action/so-okta.delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-okta'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete okta indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-okta.*|so-okta.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index 24033d41d..b6263b0e8 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -24,4 +24,4 @@ actions: unit_count: {{ DELETE_DAYS }} exclude: - \ No newline at end of file + diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml deleted file mode 100644 index bd2cbc0b2..000000000 --- a/salt/curator/files/action/so-osquery-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-osquery'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-osquery - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml deleted file mode 100644 index c9718ee31..000000000 --- a/salt/curator/files/action/so-ossec-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-ossec'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-ossec - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml deleted file mode 100644 index 28044ecc9..000000000 --- a/salt/curator/files/action/so-proofpoint-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-proofpoint'].close %} -actions: - 1: - action: close - description: >- - Close proofpoint indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-proofpoint.*|so-proofpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml deleted file mode 100644 index 436c4c803..000000000 --- a/salt/curator/files/action/so-proofpoint-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-proofpoint'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete proofpoint indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-proofpoint.*|so-proofpoint.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml deleted file mode 100644 index daa8d0265..000000000 --- a/salt/curator/files/action/so-proofpoint-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-proofpoint'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-proofpoint - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml deleted file mode 100644 index 1f932058a..000000000 --- a/salt/curator/files/action/so-radware-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-radware'].close %} -actions: - 1: - action: close - description: >- - Close radware indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-radware.*|so-radware.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml deleted file mode 100644 index 46a614570..000000000 --- a/salt/curator/files/action/so-radware-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-radware'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete radware indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-radware.*|so-radware.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml deleted file mode 100644 index b0f15663d..000000000 --- a/salt/curator/files/action/so-radware-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-radware'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-radware - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml deleted file mode 100644 index dc472be97..000000000 --- a/salt/curator/files/action/so-redis-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-redis'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-redis - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml deleted file mode 100644 index 955c8d065..000000000 --- a/salt/curator/files/action/so-snort-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-snort'].close %} -actions: - 1: - action: close - description: >- - Close snort indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snort.*|so-snort.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml deleted file mode 100644 index 3077a3d51..000000000 --- a/salt/curator/files/action/so-snort-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-snort'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete snort indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snort.*|so-snort.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml deleted file mode 100644 index 82af9a140..000000000 --- a/salt/curator/files/action/so-snort-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-snort'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-snort - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml deleted file mode 100644 index 60bde3d43..000000000 --- a/salt/curator/files/action/so-snyk-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-snyk'].close %} -actions: - 1: - action: close - description: >- - Close snyk indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snyk.*|so-snyk.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml deleted file mode 100644 index 95104ead0..000000000 --- a/salt/curator/files/action/so-snyk-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-snyk'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete snyk indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-snyk.*|so-snyk.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml deleted file mode 100644 index 3767bc0d0..000000000 --- a/salt/curator/files/action/so-snyk-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-snyk'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-snyk - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml deleted file mode 100644 index ef61f9427..000000000 --- a/salt/curator/files/action/so-sonicwall-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-sonicwall'].close %} -actions: - 1: - action: close - description: >- - Close sonicwall indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sonicwall.*|so-sonicwall.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml deleted file mode 100644 index 2a9d40739..000000000 --- a/salt/curator/files/action/so-sonicwall-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-sonicwall'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete sonicwall indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sonicwall.*|so-sonicwall.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml deleted file mode 100644 index 9f6b596df..000000000 --- a/salt/curator/files/action/so-sonicwall-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-sonicwall'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-sonicwall - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml deleted file mode 100644 index b2ccbb65f..000000000 --- a/salt/curator/files/action/so-sophos-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-sophos'].close %} -actions: - 1: - action: close - description: >- - Close sophos indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sophos.*|so-sophos.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml deleted file mode 100644 index b15cc06dd..000000000 --- a/salt/curator/files/action/so-sophos-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-sophos'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete sophos indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-sophos.*|so-sophos.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml deleted file mode 100644 index 619fde7a3..000000000 --- a/salt/curator/files/action/so-sophos-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-sophos'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-sophos - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml deleted file mode 100644 index 96bc9f55d..000000000 --- a/salt/curator/files/action/so-strelka-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-strelka'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-strelka - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml deleted file mode 100644 index be42c20da..000000000 --- a/salt/curator/files/action/so-syslog-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-syslog'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-syslog - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml deleted file mode 100644 index 816293853..000000000 --- a/salt/curator/files/action/so-tomcat-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-tomcat'].close %} -actions: - 1: - action: close - description: >- - Close tomcat indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-tomcat.*|so-tomcat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml deleted file mode 100644 index e605266b4..000000000 --- a/salt/curator/files/action/so-tomcat-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-tomcat'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete tomcat indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-tomcat.*|so-tomcat.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml deleted file mode 100644 index e176a272b..000000000 --- a/salt/curator/files/action/so-tomcat-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-tomcat'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-tomcat - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml deleted file mode 100644 index d53d70659..000000000 --- a/salt/curator/files/action/so-zeek-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-zeek'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-zeek - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml deleted file mode 100644 index 4b453a260..000000000 --- a/salt/curator/files/action/so-zscaler-close.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['so-zscaler'].close %} -actions: - 1: - action: close - description: >- - Close zscaler indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-zscaler.*|so-zscaler.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml deleted file mode 100644 index a56ebd859..000000000 --- a/salt/curator/files/action/so-zscaler-delete.yml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set DELETE_DAYS = CURATORMERGED['so-zscaler'].delete %} -actions: - 1: - action: delete_indices - description: >- - Delete zscaler indices when older than {{ DELETE_DAYS }} days. - options: - ignore_empty_list: True - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(logstash-zscaler.*|so-zscaler.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ DELETE_DAYS }} - exclude: - - \ No newline at end of file diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml deleted file mode 100644 index c6ea011e5..000000000 --- a/salt/curator/files/action/so-zscaler-warm.yml +++ /dev/null @@ -1,29 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set WARM_DAYS = CURATORMERGED['so-zscaler'].warm %} -actions: - 1: - action: allocation - description: "Apply shard allocation filtering rules to the specified indices" - options: - key: box_type - value: warm - allocation_type: require - wait_for_completion: true - timeout_override: - continue_if_exception: false - disable_action: false - filters: - - filtertype: pattern - kind: prefix - value: so-zscaler - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{ WARM_DAYS }} - From 073054b447a6197737d3a20fa231db13bb2a384e Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 16:21:55 +0000 Subject: [PATCH 257/470] Remove 'so-curator-cluster-warm' and remove unncessary Curator default values --- salt/curator/defaults.yaml | 135 ------------------ .../curator/files/bin/so-curator-cluster-warm | 26 ---- salt/curator/init.sls | 10 -- 3 files changed, 171 deletions(-) delete mode 100644 salt/curator/files/bin/so-curator-cluster-warm diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 3eda48d81..8e791b0d5 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -1,182 +1,47 @@ elasticsearch: index_settings: - so-aws: - warm: 7 - close: 30 - delete: 365 - so-azure: - warm: 7 - close: 30 - delete: 365 - so-barracuda: - warm: 7 - close: 30 - delete: 365 so-beats: - warm: 7 - close: 30 - delete: 365 - so-bluecoat: - warm: 7 - close: 30 - delete: 365 - so-cef: - warm: 7 - close: 30 - delete: 365 - so-checkpoint: - warm: 7 - close: 30 - delete: 365 - so-cisco: - warm: 7 - close: 30 - delete: 365 - so-cyberark: - warm: 7 - close: 30 - delete: 365 - so-cylance: - warm: 7 close: 30 delete: 365 so-elasticsearch: - warm: 7 - close: 30 - delete: 365 - so-endgame: - warm: 7 - close: 30 - delete: 365 - so-f5: - warm: 7 close: 30 delete: 365 so-firewall: - warm: 7 - close: 30 - delete: 365 - so-fortinet: - warm: 7 - close: 30 - delete: 365 - so-gcp: - warm: 7 - close: 30 - delete: 365 - so-google_workspace: - warm: 7 close: 30 delete: 365 so-ids: - warm: 7 - close: 30 - delete: 365 - so-imperva: - warm: 7 close: 30 delete: 365 so-import: - warm: 7 close: 73000 delete: 73001 - so-infoblox: - warm: 7 - close: 30 - delete: 365 - so-juniper: - warm: 7 - close: 30 - delete: 365 so-kratos: - warm: 7 close: 30 delete: 365 so-kibana: - warm: 7 close: 30 delete: 365 so-logstash: - warm: 7 - close: 30 - delete: 365 - so-microsoft: - warm: 7 - close: 30 - delete: 365 - so-misp: - warm: 7 close: 30 delete: 365 so-netflow: - warm: 7 - close: 30 - delete: 365 - so-netscout: - warm: 7 - close: 30 - delete: 365 - so-o365: - warm: 7 - close: 30 - delete: 365 - so-okta: - warm: 7 close: 30 delete: 365 so-osquery: - warm: 7 close: 30 delete: 365 so-ossec: - warm: 7 - close: 30 - delete: 365 - so-proofpoint: - warm: 7 - close: 30 - delete: 365 - so-radware: - warm: 7 close: 30 delete: 365 so-redis: - warm: 7 - close: 30 - delete: 365 - so-snort: - warm: 7 - close: 30 - delete: 365 - so-snyk: - warm: 7 - close: 30 - delete: 365 - so-sonicwall: - warm: 7 - close: 30 - delete: 365 - so-sophos: - warm: 7 close: 30 delete: 365 so-strelka: - warm: 7 close: 30 delete: 365 so-syslog: - warm: 7 - close: 30 - delete: 365 - so-tomcat: - warm: 7 close: 30 delete: 365 so-zeek: - warm: 7 - close: 30 - delete: 365 - so-zscaler: - warm: 7 close: 30 delete: 365 diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm deleted file mode 100644 index f868caf0d..000000000 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -APP=warm -lf=/tmp/$APP-pidLockFile -# create empty lock file if none exists -cat /dev/null >> $lf -read lastPID < $lf -# if lastPID is not null and a process with that pid exists , exit -[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit -echo $$ > $lf - -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-warm.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-warm.yml > /dev/null 2>&1; diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 27c8d10c8..4a828beb6 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -182,16 +182,6 @@ so-curatorclusterdelete: - month: '*' - dayweek: '*' -so-curatorclusterwarm: - cron.present: - - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - - user: root - - minute: '2' - - hour: '*/1' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% else %} {{sls}}_state_not_allowed: From d6365468716ba93a49939a73b152fcb2a35301c8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:15:25 +0000 Subject: [PATCH 258/470] Add new Curator action files --- .../files/action/logs-import-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-import-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-strelka-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-strelka-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-suricata-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-suricata-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-syslog-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-syslog-so-delete.yml | 27 +++++++++++++++++++ .../files/action/logs-zeek-so-close.yml | 27 +++++++++++++++++++ .../files/action/logs-zeek-so-delete.yml | 27 +++++++++++++++++++ 10 files changed, 270 insertions(+) create mode 100644 salt/curator/files/action/logs-import-so-close.yml create mode 100644 salt/curator/files/action/logs-import-so-delete.yml create mode 100644 salt/curator/files/action/logs-strelka-so-close.yml create mode 100644 salt/curator/files/action/logs-strelka-so-delete.yml create mode 100644 salt/curator/files/action/logs-suricata-so-close.yml create mode 100644 salt/curator/files/action/logs-suricata-so-delete.yml create mode 100644 salt/curator/files/action/logs-syslog-so-close.yml create mode 100644 salt/curator/files/action/logs-syslog-so-delete.yml create mode 100644 salt/curator/files/action/logs-zeek-so-close.yml create mode 100644 salt/curator/files/action/logs-zeek-so-delete.yml diff --git a/salt/curator/files/action/logs-import-so-close.yml b/salt/curator/files/action/logs-import-so-close.yml new file mode 100644 index 000000000..52ddb5eb5 --- /dev/null +++ b/salt/curator/files/action/logs-import-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} +actions: + 1: + action: close + description: >- + Close import indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml new file mode 100644 index 000000000..274d06711 --- /dev/null +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete syslog indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-syslog-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-strelka-so-close.yml b/salt/curator/files/action/logs-strelka-so-close.yml new file mode 100644 index 000000000..a5b31785f --- /dev/null +++ b/salt/curator/files/action/logs-strelka-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-strelka-so'].close %} +actions: + 1: + action: close + description: >- + Close Strelka indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-strelka-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-strelka-so-delete.yml b/salt/curator/files/action/logs-strelka-so-delete.yml new file mode 100644 index 000000000..d01bdcc83 --- /dev/null +++ b/salt/curator/files/action/logs-strelka-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-strelka-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Strelka indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-strelka-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-suricata-so-close.yml b/salt/curator/files/action/logs-suricata-so-close.yml new file mode 100644 index 000000000..a25be9f3d --- /dev/null +++ b/salt/curator/files/action/logs-suricata-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-suricata-so'].close %} +actions: + 1: + action: close + description: >- + Close Suricata indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-suricata-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-suricata-so-delete.yml b/salt/curator/files/action/logs-suricata-so-delete.yml new file mode 100644 index 000000000..765ba1293 --- /dev/null +++ b/salt/curator/files/action/logs-suricata-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-suricata-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Suricata indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-suricata-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-syslog-so-close.yml b/salt/curator/files/action/logs-syslog-so-close.yml new file mode 100644 index 000000000..b9baf3c1a --- /dev/null +++ b/salt/curator/files/action/logs-syslog-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-syslog-so'].close %} +actions: + 1: + action: close + description: >- + Close syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-syslog-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml new file mode 100644 index 000000000..b46a5fc73 --- /dev/null +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-zeek-so-close.yml b/salt/curator/files/action/logs-zeek-so-close.yml new file mode 100644 index 000000000..f8ad13ca0 --- /dev/null +++ b/salt/curator/files/action/logs-zeek-so-close.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-zeek-so'].close %} +actions: + 1: + action: close + description: >- + Close Zeek indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-zeek-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-zeek-so-delete.yml b/salt/curator/files/action/logs-zeek-so-delete.yml new file mode 100644 index 000000000..5acfc50a7 --- /dev/null +++ b/salt/curator/files/action/logs-zeek-so-delete.yml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-zeek-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Zeek indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-zeek-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + From 88d98af243ef5bf19024e2c3b7abc02b15d9aa2a Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:21:03 +0000 Subject: [PATCH 259/470] Add new Curator action files to Curator close and delete scripts --- salt/curator/files/bin/so-curator-close | 5 +++++ salt/curator/files/bin/so-curator-cluster-close | 5 +++++ salt/curator/files/bin/so-curator-cluster-delete | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 885cb4502..af66a03df 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -25,3 +25,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index 0929149ed..4359dcfc1 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -23,3 +23,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-close.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-close.yml > /dev/null 2>&1; diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index 2d71f725d..34c3c10cf 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -23,3 +23,8 @@ docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/cur docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-delete.yml > /dev/null 2>&1; +docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-delete.yml > /dev/null 2>&1; From 26c9813276675f9646fbea13753e6e8c3379fca5 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:29:07 +0000 Subject: [PATCH 260/470] Add keys for new Curator actions to defaults.yaml --- salt/curator/defaults.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 8e791b0d5..237a50c81 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -1,5 +1,20 @@ elasticsearch: index_settings: + logs-import-so: + close: 73000 + delete: 73001 + logs-strelka-so: + close: 30 + delete: 365 + logs-suricata-so: + close: 30 + delete: 365 + logs-syslog-so: + close: 30 + delete: 365 + logs-zeek-so: + close: 30 + delete: 365 so-beats: close: 30 delete: 365 From f50639d2d2c6950492439ce110e78a160ee8af66 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 7 Mar 2023 17:41:48 +0000 Subject: [PATCH 261/470] Fix import and syslog actions --- salt/curator/files/action/logs-import-so-delete.yml | 6 +++--- salt/curator/files/action/logs-syslog-so-delete.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/curator/files/action/logs-import-so-delete.yml b/salt/curator/files/action/logs-import-so-delete.yml index 274d06711..b46a5fc73 100644 --- a/salt/curator/files/action/logs-import-so-delete.yml +++ b/salt/curator/files/action/logs-import-so-delete.yml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} actions: 1: action: delete_indices description: >- - Delete syslog indices when older than {{ DELETE_DAYS }} days. + Delete import indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-syslog-so.*)$' + value: '^(.ds-logs-import-so.*)$' - filtertype: age source: name direction: older diff --git a/salt/curator/files/action/logs-syslog-so-delete.yml b/salt/curator/files/action/logs-syslog-so-delete.yml index b46a5fc73..274d06711 100644 --- a/salt/curator/files/action/logs-syslog-so-delete.yml +++ b/salt/curator/files/action/logs-syslog-so-delete.yml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-syslog-so'].delete %} actions: 1: action: delete_indices description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. + Delete syslog indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-syslog-so.*)$' - filtertype: age source: name direction: older From 4f3cb2eb3dc7965a4a3feaf58d3e4f64236f4312 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 7 Mar 2023 14:42:10 -0500 Subject: [PATCH 262/470] Clarify playbook load time log message --- salt/common/tools/sbin/so-playbook-reset | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset index d58078997..f7101ed5f 100755 --- a/salt/common/tools/sbin/so-playbook-reset +++ b/salt/common/tools/sbin/so-playbook-reset @@ -17,6 +17,6 @@ salt-call state.apply playbook,playbook.automation_user_create /usr/sbin/so-soctopus-restart -echo "Importing Plays - this will take some time...." +echo "Importing Plays - NOTE: this will continue after installation finishes and could take an hour or more. Rebooting while the import is in progress will delay playbook imports." sleep 5 so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & From fd2312a2acffa949e54904bc3b65cdce0525c739 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 7 Mar 2023 15:13:35 -0500 Subject: [PATCH 263/470] Remove EA install from manager highstates --- salt/top.sls | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 69d99f6de..889c95f99 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -106,7 +106,6 @@ base: - playbook - redis {%- endif %} - - elastic-fleet.install_agent_grid - docker_clean '*_manager and G@saltversion:{{saltversion}}': @@ -148,7 +147,6 @@ base: - schedule - soctopus - playbook - - elastic-fleet.install_agent_grid - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -201,7 +199,6 @@ base: - playbook - docker_clean - elastic-fleet - - elastic-fleet.install_agent_grid '*_searchnode and G@saltversion:{{saltversion}}': - match: compound @@ -259,7 +256,6 @@ base: - schedule - soctopus - playbook - - elastic-fleet.install_agent_grid - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -320,7 +316,6 @@ base: - zeek - schedule - docker_clean - - elastic-fleet.install_agent_grid - elastic-fleet '*_receiver and G@saltversion:{{saltversion}}': From e93c052d346ae8743403f5f10c482931a3f55068 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 7 Mar 2023 15:21:53 -0500 Subject: [PATCH 264/470] Add the new index format to the global delete action file for Curator --- salt/curator/files/action/delete.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index e51b08538..fb8ae30cb 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -15,7 +15,7 @@ actions: filters: - filtertype: pattern kind: regex - value: '^(logstash-.*|so-.*)$' + value: '^(logstash-.*|so-.*|.ds-logs-.*-so.*)$' - filtertype: pattern kind: regex value: '^(so-case.*)$' From 2d7ce41a703d28b402c275ad05ce8ebb1636511c Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 7 Mar 2023 16:16:55 -0500 Subject: [PATCH 265/470] Remove reference to 'so-curator-cluster-warm' script since it has been removed --- salt/curator/init.sls | 9 --------- 1 file changed, 9 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 4a828beb6..94a666f53 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -113,15 +113,6 @@ curclusterdelete: - mode: 755 - template: jinja -curclustercwarm: - file.managed: - - name: /usr/sbin/so-curator-cluster-warm - - source: salt://curator/files/bin/so-curator-cluster-warm - - user: 934 - - group: 939 - - mode: 755 - - template: jinja - so-curator: docker_container.{{ CURATOROPTIONS.status }}: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }} From b9e3024521adfe7bb67fa984d82f28d4db42dd06 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 8 Mar 2023 15:10:31 -0500 Subject: [PATCH 266/470] fix user sync issue after setup finishes --- salt/common/tools/sbin/so-user | 18 ------------------ setup/so-functions | 2 -- 2 files changed, 20 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 4ad3983b4..aaa43cd9e 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -496,19 +496,6 @@ EOF fi } -function migrateLockedUsers() { - # This is a migration function to convert locked users from prior to 2.3.90 - # to inactive users using the newer Kratos functionality. This should only - # find locked users once. - lockedEmails=$(curl -s ${kratosUrl}/identities | jq -r '.[] | select(.traits.status == "locked") | .traits.email') - if [[ -n "$lockedEmails" ]]; then - echo "Disabling locked users..." - for email in $lockedEmails; do - updateStatus "$email" locked - done - fi -} - function updateStatus() { email=$1 status=$2 @@ -703,11 +690,6 @@ case "${operation}" in echo "Password is acceptable" ;; - "migrate") - migrateLockedUsers - echo "User migration complete" - ;; - *) fail "Unsupported operation: $operation" usage diff --git a/setup/so-functions b/setup/so-functions index 0ca635872..e006bac34 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -68,9 +68,7 @@ add_web_user() { wait_for_file /nsm/kratos/db/db.sqlite 30 5 { info "Attempting to add administrator user for web interface..."; - export SKIP_STATE_APPLY=true echo "$WEBPASSWD1" | /usr/sbin/so-user add --email "$WEBUSER" --role "superuser"; - unset SKIP_STATE_APPLY info "Add user result: $?"; } >> "/root/so-user-add.log" 2>&1 } From a5c89bfaa16688c0cb46f155d843595d67bc5a97 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 8 Mar 2023 16:49:34 -0500 Subject: [PATCH 267/470] update sysmon dashboards --- salt/soc/defaults.yaml | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 14e8182f3..1b455c62a 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1395,22 +1395,22 @@ soc: query: 'event.category:network AND event.dataset:alert | groupby rule.category | groupby -sankey source.ip destination.ip | groupby rule.name | groupby rule.uuid | groupby rule.gid | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - name: Sysmon Overview description: Overview of all Sysmon data types - query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.action | groupby user.name | groupby dns.query.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.target | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Sysmon Registry - description: Registry changes captured by Sysmon - query: '(event.dataset:windows.sysmon_operational AND event.action:Registry*) | groupby -sankey event.action host.name | groupby host.name | groupby event.action | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Sysmon DNS - description: DNS queries captured by Sysmon - query: 'event.dataset:windows.sysmon_operational AND event.action:"Dns query (rule: DnsQuery)" | groupby -sankey host.name dns.query.name | groupby host.name | groupby process.executable | groupby dns.query.name | groupby dns.answers.name' - - name: Sysmon Process - description: Process activity captured by Sysmon - query: '(event.dataset:process_creation OR event.dataset:process_terminated OR event.dataset:process_access) | groupby -sankey host.name user.name | groupby host.name | groupby user.name | groupby event.dataset | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - - name: Sysmon File - description: File activity captured by Sysmon - query: 'event.module:sysmon AND event.dataset:file_* | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset | groupby file.target | groupby process.executable' - - name: Sysmon Network - description: Network activity captured by Sysmon - query: 'event.dataset:network_connection | groupby -sankey host.name destination.ip destination.port | groupby winlog.computer_name | groupby user.name | groupby process.executable | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Host Data - Registry Changes + description: Windows Registry changes + query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' + - name: Host Data - DNS & Process Mappings + description: DNS queries mapped to originating processes + query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.provider event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' + - name: Host Data - Process + description: Process activity captured on an endpoint + query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' + - name: Host Data - File + description: File activity captured on an endpoint + query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.provider event.action event.type | groupby file.name | groupby process.executable' + - name: Host Data - Network & Process Mappings + description: Network activity mapped to originating processes + query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.provider* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' @@ -1432,9 +1432,11 @@ soc: - name: DPD description: DPD (Dynamic Protocol Detection) errors query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' + - name: Files description: Files seen in network traffic query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' + - name: FTP description: FTP (File Transfer Protocol) network metadata query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' From 14938060406185b9177c601699323047db0b6869 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 8 Mar 2023 17:03:02 -0500 Subject: [PATCH 268/470] Change host dashboard titles --- salt/soc/defaults.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 1b455c62a..aa78ce3e2 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1396,19 +1396,19 @@ soc: - name: Sysmon Overview description: Overview of all Sysmon data types query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' - - name: Host Data - Registry Changes + - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Host Data - DNS & Process Mappings + - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.provider event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - - name: Host Data - Process + - name: Host Process Activity description: Process activity captured on an endpoint query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - - name: Host Data - File + - name: Host File Activity description: File activity captured on an endpoint query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.provider event.action event.type | groupby file.name | groupby process.executable' - - name: Host Data - Network & Process Mappings + - name: Host Network & Process Mappings description: Network activity mapped to originating processes query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.provider* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Strelka From b6ce9f489ac79393e1c02c31adbb4a27dd8de6e0 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 11:02:01 -0500 Subject: [PATCH 269/470] autodetect manager IP --- setup/so-functions | 9 +++++++++ setup/so-setup | 5 ++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e006bac34..26a97583f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1606,6 +1606,15 @@ networking_needful() { fi set_main_ip compare_main_nic_ip + + # Attempt to autodetect the manager IP, if an offset value exists + if [[ -n "$MSRVIP_OFFSET" && -z "$MSRVIP" ]]; then + mips1=$(echo "$MNIC_IP" | awk -F. '{print $1}') + mips2=$(echo "$MNIC_IP" | awk -F. '{print $2}') + mips3=$(echo "$MNIC_IP" | awk -F. '{print $3}') + mips4=$(echo "$MNIC_IP" | awk -F. '{print $4}') + MSRVIP="$mips1.$mips2.$mips3.$((mips4+$MSRVIP_OFFSET))" + fi } network_setup() { diff --git a/setup/so-setup b/setup/so-setup index 1bee9e617..f430efb4b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -183,8 +183,10 @@ if [ -n "$test_profile" ]; then if [[ "$test_profile" =~ "-sensor-" ]]; then HOSTNAME=sensor + MSRVIP_OFFSET=-2 elif [[ "$test_profile" =~ "-search-" ]]; then HOSTNAME=search + MSRVIP_OFFSET=-1 else HOSTNAME=manager fi @@ -192,14 +194,11 @@ if [ -n "$test_profile" ]; then MSRV=manager if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP - MSRVIP=10.66.166.72 elif [[ "$test_profile" =~ "-cloud" ]]; then MSRVIP=10.99.1.20 elif [[ "$test_profile" =~ "-iso" ]]; then - MSRVIP=10.66.166.42 elif [[ "$test_profile" =~ "-airgap" ]]; then is_airgap=true - MSRVIP=10.66.166.52 fi if [ -f "/root/public_ip" ]; then From a4409b2979eca8331bd67c0c72329704e41ea80d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 11:47:35 -0500 Subject: [PATCH 270/470] autodetect manager IP --- setup/so-setup | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index f430efb4b..5555cd8f9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -181,10 +181,10 @@ if [ -n "$test_profile" ]; then # The below settings are hardcoded purely for automated testing purposes. TESTING=true - if [[ "$test_profile" =~ "-sensor-" ]]; then + if [[ "$test_profile" =~ "-sensor" ]]; then HOSTNAME=sensor MSRVIP_OFFSET=-2 - elif [[ "$test_profile" =~ "-search-" ]]; then + elif [[ "$test_profile" =~ "-search" ]]; then HOSTNAME=search MSRVIP_OFFSET=-1 else @@ -196,7 +196,6 @@ if [ -n "$test_profile" ]; then address_type=DHCP elif [[ "$test_profile" =~ "-cloud" ]]; then MSRVIP=10.99.1.20 - elif [[ "$test_profile" =~ "-iso" ]]; then elif [[ "$test_profile" =~ "-airgap" ]]; then is_airgap=true fi From b1f201ca87ad4a3025f6c8fbbcc73b2813ac1483 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 12:05:42 -0500 Subject: [PATCH 271/470] autodetect manager IP --- setup/so-setup | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 5555cd8f9..d45d7ca2d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -175,7 +175,11 @@ progress() { if [ -n "$test_profile" ]; then install_type="$(echo $test_profile |awk -F- '{print $1}')" - install_type=${install_type^^} + if [[ install_type == "distributed" ]]; then + install_type=MANAGER + else + install_type=${install_type^^} + fi info "Activating test profile; profile=$test_profile; install_type=$install_type" # The below settings are hardcoded purely for automated testing purposes. From ecc300197dffca0c22bd833df79625eb9e675acf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 12:11:27 -0500 Subject: [PATCH 272/470] autodetect manager IP --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d45d7ca2d..49b549e65 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -175,7 +175,7 @@ progress() { if [ -n "$test_profile" ]; then install_type="$(echo $test_profile |awk -F- '{print $1}')" - if [[ install_type == "distributed" ]]; then + if [[ "$install_type" == "distributed" ]]; then install_type=MANAGER else install_type=${install_type^^} From 894a20b3adc1f16ad6d693399aa5e422be5ca1a2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 12:58:51 -0500 Subject: [PATCH 273/470] autodetect manager IP --- setup/so-setup | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 49b549e65..a1a1c6d76 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -180,21 +180,24 @@ if [ -n "$test_profile" ]; then else install_type=${install_type^^} fi - info "Activating test profile; profile=$test_profile; install_type=$install_type" # The below settings are hardcoded purely for automated testing purposes. TESTING=true if [[ "$test_profile" =~ "-sensor" ]]; then + install_type=SENSOR HOSTNAME=sensor MSRVIP_OFFSET=-2 elif [[ "$test_profile" =~ "-search" ]]; then + install_type=SEARCH HOSTNAME=search MSRVIP_OFFSET=-1 else HOSTNAME=manager fi + info "Activating test profile; profile=$test_profile; install_type=$install_type" + MSRV=manager if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP From 73abf8dbfdc0dd57ef8e03798f168b102ff7a78c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 9 Mar 2023 14:32:52 -0500 Subject: [PATCH 274/470] Generic host dashboard --- salt/soc/defaults.yaml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index aa78ce3e2..e516631fe 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -562,11 +562,11 @@ soc: - source.ip ':windows.sysmon_operational:': - soc_timestamp - - event.dataset + - event.action - process.executable - user.name - file.target - - dns.query.name + - dns.question.name - winlog.event_data.TargetObject '::network_connection': - soc_timestamp @@ -1116,7 +1116,7 @@ soc: enabled: true queries: - name: Default Query - description: Show all events grouped by the origin host + description: Show all events grouped by the observer host query: '* | groupby observer.name' showSubtitle: true - name: Log Type @@ -1396,21 +1396,24 @@ soc: - name: Sysmon Overview description: Overview of all Sysmon data types query: 'event.dataset:windows.sysmon_operational | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby host.name | groupby event.category event.action | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby file.name | groupby source.ip | groupby destination.ip | groupby destination.port' + - name: Host Overview + description: Overview of all host data types + query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby host.name | groupby user.name | groupby file.name | groupby process.executable' - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes - query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.provider event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' + query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity description: Process activity captured on an endpoint query: 'event.category:process | groupby -sankey host.name user.name* | groupby event.dataset event.action | groupby host.name | groupby user.name | groupby process.working_directory | groupby process.executable | groupby process.command_line | groupby process.parent.executable | groupby process.parent.command_line | groupby -sankey process.parent.executable process.executable' - name: Host File Activity description: File activity captured on an endpoint - query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.provider event.action event.type | groupby file.name | groupby process.executable' + query: 'event.category: file AND _exists_:process.executable | groupby -sankey host.name process.executable | groupby host.name | groupby event.dataset event.action event.type | groupby file.name | groupby process.executable' - name: Host Network & Process Mappings description: Network activity mapped to originating processes - query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.provider* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' + query: 'event.category: network AND _exists_:process.executable | groupby -sankey event.action host.name | groupby -sankey host.name user.name | groupby event.dataset* event.type* event.action* | groupby host.name | groupby user.name | groupby dns.question.name | groupby process.executable | groupby winlog.event_data.TargetObject | groupby process.name | groupby source.ip | groupby destination.ip | groupby destination.port' - name: Strelka description: Strelka file analysis query: 'event.module:strelka | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.name' @@ -1432,11 +1435,9 @@ soc: - name: DPD description: DPD (Dynamic Protocol Detection) errors query: 'event.dataset:dpd | groupby error.reason | groupby network.protocol | groupby -sankey source.ip destination.ip | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' - - name: Files description: Files seen in network traffic query: 'event.dataset:file | groupby file.mime_type | groupby -sankey file.mime_type file.source | groupby file.source | groupby file.bytes.total | groupby source.ip | groupby destination.ip | groupby destination_geo.organization_name' - - name: FTP description: FTP (File Transfer Protocol) network metadata query: 'event.dataset:ftp | groupby -sankey ftp.command destination.ip | groupby ftp.command | groupby ftp.argument | groupby ftp.user | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name' From 23b344bf147cef4fb8473d0cd5e81f60373c3a2f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 15:04:42 -0500 Subject: [PATCH 275/470] distributed testing --- setup/so-functions | 3 +++ setup/so-setup | 5 +++-- setup/so-verify | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 26a97583f..e13457612 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2303,6 +2303,9 @@ set_initial_firewall_access() { if [[ ! -z "$ALLOW_CIDR" ]]; then $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true fi + if [[ ! -z "$MINION_CIDR" ]]; then + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=true + fi } # Set up the management interface on the ISO diff --git a/setup/so-setup b/setup/so-setup index a1a1c6d76..cff432c13 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -189,7 +189,7 @@ if [ -n "$test_profile" ]; then HOSTNAME=sensor MSRVIP_OFFSET=-2 elif [[ "$test_profile" =~ "-search" ]]; then - install_type=SEARCH + install_type=SEARCHNODE HOSTNAME=search MSRVIP_OFFSET=-1 else @@ -198,6 +198,7 @@ if [ -n "$test_profile" ]; then info "Activating test profile; profile=$test_profile; install_type=$install_type" + MINION_CIDR=10.0.0.0/8 MSRV=manager if [[ "$test_profile" =~ "-net" ]]; then address_type=DHCP @@ -473,7 +474,7 @@ if ! [[ -f $install_opt_file ]]; then add_mngr_ip_to_hosts check_manager_connection collect_idh_services - collect_idh_preferences + collect_idh_preferences set_minion_info whiptail_end_settings diff --git a/setup/so-verify b/setup/so-verify index 2ccc76b09..20acf1c09 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -79,6 +79,19 @@ status_failed() { return 1 } +create_temp_so_status_if_missing() { + if ! which so-status &> /dev/null; then + if [ -f /root/success ]; then + echo "echo 'Minion installation succeeded - so-status not yet available'" > /usr/sbin/so-status + echo "exit 0" >> /usr/sbin/so-status + else + echo "echo 'Installation failed - so-status not available'" > /usr/sbin/so-status + echo "exit 100" >> /usr/sbin/so-status + fi + chmod a+x /usr/sbin/so-status + fi +} + main() { exit_code=0 if [ -f /root/success ]; then @@ -103,6 +116,8 @@ main() { touch /root/success fi + create_temp_so_status_if_missing + exit $exit_code } From 0ee870a19950b7d12e6f23aead7a5527974b71f3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 15:40:51 -0500 Subject: [PATCH 276/470] cleanup unnecessary code --- setup/so-functions | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e13457612..b3c0b6126 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2289,14 +2289,11 @@ set_initial_firewall_policy() { title "Setting Initial Firewall Policy" if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi - case "$install_type" in - 'MANAGER') - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=manager --ip=$MAINIP --apply=true - ;; - 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true - ;; - esac + case "$install_type" in + 'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true + ;; + esac } set_initial_firewall_access() { From ed8a23cedc535dd3f8b4dbf7ea57b0332cd24ac6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 17:01:38 -0500 Subject: [PATCH 277/470] distributed testing --- setup/so-verify | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/setup/so-verify b/setup/so-verify index 20acf1c09..7e06cef86 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -79,11 +79,17 @@ status_failed() { return 1 } -create_temp_so_status_if_missing() { - if ! which so-status &> /dev/null; then +# Creates scripts that are going to be invoked by the automated test system. These scripts will +# overwritten by Salt, once the minion is accepted into the grid and the salt states run. +create_temp_scripts_if_missing() { + if [ ! -f /usr/sbin/so-status ]; then if [ -f /root/success ]; then - echo "echo 'Minion installation succeeded - so-status not yet available'" > /usr/sbin/so-status + echo "echo 'so-status not yet available'" > /usr/sbin/so-status echo "exit 0" >> /usr/sbin/so-status + + # Pretend so-test succeeded in the interim period while waiting for this minion to be accepted. This avoids tests getting hung up. + echo "echo 'so-test not yet available'" > /usr/sbin/so-test + echo "exit 0" >> /usr/sbin/so-test else echo "echo 'Installation failed - so-status not available'" > /usr/sbin/so-status echo "exit 100" >> /usr/sbin/so-status @@ -116,7 +122,7 @@ main() { touch /root/success fi - create_temp_so_status_if_missing + create_temp_scripts_if_missing exit $exit_code } From 5301f442f948b0f71b2f3669f9bbd73a159d01f8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 9 Mar 2023 19:31:04 -0500 Subject: [PATCH 278/470] distributed testing --- setup/so-verify | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-verify b/setup/so-verify index 7e06cef86..84f02e43c 100755 --- a/setup/so-verify +++ b/setup/so-verify @@ -90,6 +90,7 @@ create_temp_scripts_if_missing() { # Pretend so-test succeeded in the interim period while waiting for this minion to be accepted. This avoids tests getting hung up. echo "echo 'so-test not yet available'" > /usr/sbin/so-test echo "exit 0" >> /usr/sbin/so-test + chmod a+x /usr/sbin/so-test else echo "echo 'Installation failed - so-status not available'" > /usr/sbin/so-status echo "exit 100" >> /usr/sbin/so-status From 16d94781967a96caf3afda24783ce6ee2c38ff5d Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 10 Mar 2023 16:54:47 -0500 Subject: [PATCH 279/470] Add index lifecycle management policy definitions for default Elastic Agent data streams --- salt/elasticsearch/defaults.yaml | 209 +++++++++++++++++++++++++++++++ 1 file changed, 209 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a0c431881..c4098e08c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -84,6 +84,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -119,6 +138,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -154,6 +192,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -189,6 +246,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -224,6 +300,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -259,6 +354,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -294,6 +408,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -329,6 +462,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -364,6 +516,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -399,6 +570,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent @@ -434,6 +624,25 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} _meta: package: name: elastic_agent From 58343e39fa869cf5471a34e218a0bb2fd41c3d7c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 10 Mar 2023 17:32:14 -0500 Subject: [PATCH 280/470] 2.4 strelka --- .../files/so-yara-update.jinja} | 39 +- salt/manager/init.sls | 15 + salt/strelka/defaults.yaml | 554 +++++++++++++++++- salt/strelka/filecheck/defaults.yaml | 4 + salt/strelka/filecheck/filecheck.yaml | 10 - salt/strelka/filecheck/filecheck.yaml.jinja | 1 + salt/strelka/filecheck/map.jinja | 12 + salt/strelka/files/backend/backend.yaml | 420 ------------- salt/strelka/files/backend/backend.yaml.jinja | 1 + salt/strelka/files/backend/logging.yaml | 78 --- salt/strelka/files/backend/logging.yaml.jinja | 1 + salt/strelka/files/backend/passwords.dat | 2 - .../strelka/files/backend/passwords.dat.jinja | 1 + salt/strelka/files/filestream/filestream.yaml | 26 - .../files/filestream/filestream.yaml.jinja | 1 + salt/strelka/files/frontend/frontend.yaml | 16 - .../files/frontend/frontend.yaml.jinja | 1 + salt/strelka/files/manager/manager.yaml | 9 - salt/strelka/files/manager/manager.yaml.jinja | 1 + salt/strelka/init.sls | 98 +++- salt/strelka/map.jinja | 20 + 21 files changed, 706 insertions(+), 604 deletions(-) rename salt/{common/tools/sbin/so-yara-update => manager/files/so-yara-update.jinja} (70%) create mode 100644 salt/strelka/filecheck/defaults.yaml delete mode 100644 salt/strelka/filecheck/filecheck.yaml create mode 100644 salt/strelka/filecheck/filecheck.yaml.jinja create mode 100644 salt/strelka/filecheck/map.jinja delete mode 100644 salt/strelka/files/backend/backend.yaml create mode 100644 salt/strelka/files/backend/backend.yaml.jinja delete mode 100644 salt/strelka/files/backend/logging.yaml create mode 100644 salt/strelka/files/backend/logging.yaml.jinja delete mode 100644 salt/strelka/files/backend/passwords.dat create mode 100644 salt/strelka/files/backend/passwords.dat.jinja delete mode 100644 salt/strelka/files/filestream/filestream.yaml create mode 100644 salt/strelka/files/filestream/filestream.yaml.jinja delete mode 100644 salt/strelka/files/frontend/frontend.yaml create mode 100644 salt/strelka/files/frontend/frontend.yaml.jinja delete mode 100644 salt/strelka/files/manager/manager.yaml create mode 100644 salt/strelka/files/manager/manager.yaml.jinja create mode 100644 salt/strelka/map.jinja diff --git a/salt/common/tools/sbin/so-yara-update b/salt/manager/files/so-yara-update.jinja similarity index 70% rename from salt/common/tools/sbin/so-yara-update rename to salt/manager/files/so-yara-update.jinja index b4e83a172..ea07f72e4 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/manager/files/so-yara-update.jinja @@ -5,14 +5,15 @@ # Elastic License 2.0. -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} - echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir repos="$output_dir/repos.txt" newcounter=0 +excludedcounter=0 +excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) + {% if ISAIRGAP is sameas true %} @@ -20,22 +21,29 @@ echo "Airgap mode enabled." clone_dir="/nsm/repo/rules/strelka" repo_name="signature-base" -mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base +[ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name +mkdir -p mkdir -p $output_dir/$repo_name # Ensure a copy of the license is available for the rules [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name # Copy over rules for i in $(find $clone_dir/yara -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) + if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi done echo "Done!" -if [ "$newcounter" -gt 0 ];then +if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then echo "$newcounter rules added." + echo "$excludedcounter rule(s) excluded." fi {% else %} @@ -60,9 +68,15 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then # Copy over rules for i in $(find $clone_dir/$repo_name -name "*.yar*"); do rule_name=$(echo $i | awk -F '/' '{print $NF}') - echo "Adding rule: $rule_name..." - cp $i $output_dir/$repo_name - ((newcounter++)) + + if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then + echo "Adding rule: $rule_name..." + cp $i $output_dir/$repo_name + ((newcounter++)) + else + echo "Excluding rule: $rule_name..." + ((excludedcounter++)) + fi done rm -rf $clone_dir/$repo_name fi @@ -70,8 +84,9 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then echo "Done!" - if [ "$newcounter" -gt 0 ];then - echo "$newcounter rules added." + if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then + echo "$newcounter rule(s) added." + echo "$excludedcounter rule(s) excluded." fi else diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c1062e8ae..5f2b0005a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -5,6 +5,9 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} + include: - salt.minion - kibana.secrets @@ -20,6 +23,18 @@ socore_own_saltstack: - user - group +yara_update_script: + file.managed: + - name: /usr/sbin/so-yara-update + - source: salt://manager/files/so-yara-update.jinja + - user: root + - group: root + - mode: 755 + - template: jinja + - defaults: + ISAIRGAP: {{ GLOBALS.airgap }} + EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }} + strelka_yara_update: cron.present: - user: root diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 792431dc6..12f0edda3 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -1,5 +1,557 @@ strelka: - ignore: + config: + backend: + backend: + logging_cfg: '/etc/strelka/logging.yaml' + limits: + max_files: 0 + time_to_live: 0 + max_depth: 15 + distribution: 600 + scanner: 150 + coordinator: + addr: 'HOST:6380' + db: 0 + tasting: + mime_db: '' + yara_rules: '/etc/strelka/taste/' + scanners: + 'ScanBase64': + - positive: + filename: '^base64_' + priority: 5 + 'ScanBatch': + - positive: + flavors: + - 'text/x-msdos-batch' + - 'batch_file' + priority: 5 + 'ScanBzip2': + - positive: + flavors: + - 'application/x-bzip2' + - 'bzip2_file' + priority: 5 + 'ScanDocx': + - positive: + flavors: + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + priority: 5 + options: + extract_text: False + 'ScanElf': + - positive: + flavors: + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + priority: 5 + 'ScanEmail': + - positive: + flavors: + - 'application/vnd.ms-outlook' + - 'message/rfc822' + - 'email_file' + priority: 5 + 'ScanEntropy': + - positive: + flavors: + - '*' + priority: 5 + 'ScanExiftool': + - positive: + flavors: + - 'application/msword' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'olecf_file' + - 'ooxml_file' + - 'audio/mpeg' + - 'mp3_file' + - 'mhtml_file' + - 'application/pdf' + - 'pdf_file' + - 'text/rtf' + - 'rtf_file' + - 'wordml_file' + - 'application/x-dosexec' + - 'mz_file' + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + - 'lnk_file' + - 'application/x-mach-binary' + - 'macho_file' + - 'image/gif' + - 'gif_file' + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + - 'application/x-shockwave-flash' + - 'fws_file' + - 'psd_file' + - 'video/mp4' + - 'video/quicktime' + - 'video/x-msvideo' + - 'avi_file' + - 'video/x-ms-wmv' + - 'wmv_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanGif': + - positive: + flavors: + - 'image/gif' + - 'gif_file' + priority: 5 + 'ScanGzip': + - positive: + flavors: + - 'application/gzip' + - 'application/x-gzip' + - 'gzip_file' + priority: 5 + 'ScanHash': + - positive: + flavors: + - '*' + priority: 5 + 'ScanHeader': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + 'ScanHtml': + - positive: + flavors: + - 'hta_file' + - 'text/html' + - 'html_file' + priority: 5 + options: + parser: "html5lib" + 'ScanIni': + - positive: + filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' + flavors: + - 'ini_file' + priority: 5 + 'ScanJarManifest': + - positive: + flavors: + - 'jar_manifest_file' + priority: 5 + 'ScanJavascript': + - negative: + flavors: + - 'text/html' + - 'html_file' + positive: + flavors: + - 'javascript_file' + - 'text/javascript' + priority: 5 + options: + beautify: True + 'ScanJpeg': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + priority: 5 + 'ScanJson': + - positive: + flavors: + - 'application/json' + - 'json_file' + priority: 5 + 'ScanLibarchive': + - positive: + flavors: + - 'application/vnd.ms-cab-compressed' + - 'cab_file' + - 'application/x-7z-compressed' + - '_7zip_file' + - 'application/x-cpio' + - 'cpio_file' + - 'application/x-xar' + - 'xar_file' + - 'arj_file' + - 'iso_file' + - 'application/x-debian-package' + - 'debian_package_file' + priority: 5 + options: + limit: 1000 + 'ScanLzma': + - positive: + flavors: + - 'application/x-lzma' + - 'lzma_file' + - 'application/x-xz' + - 'xz_file' + priority: 5 + 'ScanMacho': + - positive: + flavors: + - 'application/x-mach-binary' + - 'macho_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanOcr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + priority: 5 + options: + extract_text: False + tmp_directory: '/dev/shm/' + 'ScanOle': + - positive: + flavors: + - 'application/CDFV2' + - 'application/msword' + - 'olecf_file' + priority: 5 + 'ScanPdf': + - positive: + flavors: + - 'application/pdf' + - 'pdf_file' + priority: 5 + options: + extract_text: False + limit: 2000 + 'ScanPe': + - positive: + flavors: + - 'application/x-dosexec' + - 'mz_file' + priority: 5 + 'ScanPgp': + - positive: + flavors: + - 'application/pgp-keys' + - 'pgp_file' + priority: 5 + 'ScanPhp': + - positive: + flavors: + - 'text/x-php' + - 'php_file' + priority: 5 + 'ScanPkcs7': + - positive: + flavors: + - 'pkcs7_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanPlist': + - positive: + flavors: + - 'bplist_file' + - 'plist_file' + priority: 5 + options: + keys: + - 'KeepAlive' + - 'Label' + - 'NetworkState' + - 'Program' + - 'ProgramArguments' + - 'RunAtLoad' + - 'StartInterval' + 'ScanRar': + - positive: + flavors: + - 'application/x-rar' + - 'rar_file' + priority: 5 + options: + limit: 1000 + 'ScanRpm': + - positive: + flavors: + - 'application/x-rpm' + - 'rpm_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanRtf': + - positive: + flavors: + - 'text/rtf' + - 'rtf_file' + priority: 5 + options: + limit: 1000 + 'ScanRuby': + - positive: + flavors: + - 'text/x-ruby' + priority: 5 + 'ScanSwf': + - positive: + flavors: + - 'application/x-shockwave-flash' + - 'fws_file' + - 'cws_file' + - 'zws_file' + priority: 5 + 'ScanTar': + - positive: + flavors: + - 'application/x-tar' + - 'tar_file' + priority: 5 + options: + limit: 1000 + 'ScanTnef': + - positive: + flavors: + - 'application/vnd.ms-tnef' + - 'tnef_file' + priority: 5 + 'ScanUpx': + - positive: + flavors: + - 'upx_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanUrl': + - negative: + flavors: + - 'javascript_file' + positive: + flavors: + - 'text/plain' + priority: 5 + 'ScanVb': + - positive: + flavors: + - 'vb_file' + - 'vbscript' + priority: 5 + 'ScanVba': + - positive: + flavors: + - 'mhtml_file' + - 'application/msword' + - 'olecf_file' + - 'wordml_file' + priority: 5 + options: + analyze_macros: True + 'ScanX509': + - positive: + flavors: + - 'x509_der_file' + priority: 5 + options: + type: 'der' + - positive: + flavors: + - 'x509_pem_file' + priority: 5 + options: + type: 'pem' + 'ScanXml': + - positive: + flavors: + - 'application/xml' + - 'text/xml' + - 'xml_file' + - 'mso_file' + - 'soap_file' + priority: 5 + 'ScanYara': + - positive: + flavors: + - '*' + priority: 5 + options: + location: '/etc/yara/' + 'ScanZip': + - positive: + flavors: + - 'application/java-archive' + - 'application/zip' + - 'zip_file' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'ooxml_file' + priority: 5 + options: + limit: 1000 + password_file: '/etc/strelka/passwords.dat' + 'ScanZlib': + - positive: + flavors: + - 'application/zlib' + - 'zlib_file' + priority: 5 + logging: + version: 1 + formatters: + simple: + format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' + handlers: + console: + class: logging.StreamHandler + formatter: simple + stream: ext://sys.stdout + root: + level: DEBUG + handlers: [console] + loggers: + OpenSSL: + propagate: 0 + bs4: + propagate: 0 + bz2: + propagate: 0 + chardet: + propagate: 0 + docx: + propagate: 0 + elftools: + propagate: 0 + email: + propagate: 0 + entropy: + propagate: 0 + esprima: + propagate: 0 + gzip: + propagate: 0 + hashlib: + propagate: 0 + json: + propagate: 0 + libarchive: + propagate: 0 + lxml: + propagate: 0 + lzma: + propagate: 0 + macholibre: + propagate: 0 + olefile: + propagate: 0 + oletools: + propagate: 0 + pdfminer: + propagate: 0 + pefile: + propagate: 0 + pgpdump: + propagate: 0 + pygments: + propagate: 0 + pylzma: + propagate: 0 + rarfile: + propagate: 0 + requests: + propagate: 0 + rpmfile: + propagate: 0 + ssdeep: + propagate: 0 + tarfile: + propagate: 0 + tnefparse: + propagate: 0 + yara: + propagate: 0 + zipfile: + propagate: 0 + zlib: + propagate: 0 + passwords: + - infected + - password + filestream: + conn: + server: 'HOST:57314' + cert: '' + timeout: + dial: 5s + file: 1m + throughput: + concurrency: 8 + chunk: 32768 + delay: 0s + files: + patterns: + - '/nsm/strelka/unprocessed/*' + delete: false + gatekeeper: true + processed: '/nsm/strelka/processed' + response: + report: 5s + delta: 5s + staging: '/nsm/strelka/staging' + frontend: + server: ":57314" + coordinator: + addr: 'HOST:6380' + db: 0 + gatekeeper: + addr: 'HOST:6381' + db: 0 + ttl: 1h + response: + log: "/var/log/strelka/strelka.log" + manager: + coordinator: + addr: 'HOST:6380' + db: 0 + + + + + + + + + + + + + + + + + + excluded_rules: - apt_flame2_orchestrator.yar - apt_tetris.yar - gen_susp_js_obfuscatorio.yar diff --git a/salt/strelka/filecheck/defaults.yaml b/salt/strelka/filecheck/defaults.yaml new file mode 100644 index 000000000..6f45954d6 --- /dev/null +++ b/salt/strelka/filecheck/defaults.yaml @@ -0,0 +1,4 @@ +filecheck: + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml b/salt/strelka/filecheck/filecheck.yaml deleted file mode 100644 index 1c156fc3d..000000000 --- a/salt/strelka/filecheck/filecheck.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} -filecheck: - {%- if ENGINE == "SURICATA" %} - extract_path: '/nsm/suricata/extracted' - {%- else %} - extract_path: '/nsm/zeek/extracted/complete' - {%- endif %} - historypath: '/nsm/strelka/history/' - strelkapath: '/nsm/strelka/unprocessed/' - logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja new file mode 100644 index 000000000..95c5abab2 --- /dev/null +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -0,0 +1 @@ +{{ FILECHECKCONFIG | yaml(false) }} diff --git a/salt/strelka/filecheck/map.jinja b/salt/strelka/filecheck/map.jinja new file mode 100644 index 000000000..670136b45 --- /dev/null +++ b/salt/strelka/filecheck/map.jinja @@ -0,0 +1,12 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %} + +{% if GLOBALS.md_engine == "SURICATA" %} +{% set extract_path = '/nsm/suricata/extracted' %} +{% set filecheck_runas = 'suricata' %} +{% else %} +{% set extract_path = '/nsm/zeek/extracted/complete' %} +{% set filecheck_runas = 'socore' %} +{% endif %} + +{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %} diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml deleted file mode 100644 index db6ce0560..000000000 --- a/salt/strelka/files/backend/backend.yaml +++ /dev/null @@ -1,420 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -logging_cfg: '/etc/strelka/logging.yaml' -limits: - max_files: 0 - time_to_live: 0 - max_depth: 15 - distribution: 600 - scanner: 150 -coordinator: - addr: '{{ ip }}:6380' - db: 0 -tasting: - mime_db: null - yara_rules: '/etc/strelka/taste/' -scanners: - 'ScanBase64': - - positive: - filename: '^base64_' - priority: 5 - 'ScanBatch': - - positive: - flavors: - - 'text/x-msdos-batch' - - 'batch_file' - priority: 5 - 'ScanBzip2': - - positive: - flavors: - - 'application/x-bzip2' - - 'bzip2_file' - priority: 5 - 'ScanDocx': - - positive: - flavors: - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - priority: 5 - options: - extract_text: False - 'ScanElf': - - positive: - flavors: - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - priority: 5 - 'ScanEmail': - - positive: - flavors: - - 'application/vnd.ms-outlook' - - 'message/rfc822' - - 'email_file' - priority: 5 - 'ScanEntropy': - - positive: - flavors: - - '*' - priority: 5 - 'ScanExiftool': - - positive: - flavors: - - 'application/msword' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'olecf_file' - - 'ooxml_file' - - 'audio/mpeg' - - 'mp3_file' - - 'mhtml_file' - - 'application/pdf' - - 'pdf_file' - - 'text/rtf' - - 'rtf_file' - - 'wordml_file' - - 'application/x-dosexec' - - 'mz_file' - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - - 'lnk_file' - - 'application/x-mach-binary' - - 'macho_file' - - 'image/gif' - - 'gif_file' - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - - 'application/x-shockwave-flash' - - 'fws_file' - - 'psd_file' - - 'video/mp4' - - 'video/quicktime' - - 'video/x-msvideo' - - 'avi_file' - - 'video/x-ms-wmv' - - 'wmv_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanGif': - - positive: - flavors: - - 'image/gif' - - 'gif_file' - priority: 5 - 'ScanGzip': - - positive: - flavors: - - 'application/gzip' - - 'application/x-gzip' - - 'gzip_file' - priority: 5 - 'ScanHash': - - positive: - flavors: - - '*' - priority: 5 - 'ScanHeader': - - positive: - flavors: - - '*' - priority: 5 - options: - length: 50 - 'ScanHtml': - - positive: - flavors: - - 'hta_file' - - 'text/html' - - 'html_file' - priority: 5 - options: - parser: "html5lib" - 'ScanIni': - - positive: - filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' - flavors: - - 'ini_file' - priority: 5 - 'ScanJarManifest': - - positive: - flavors: - - 'jar_manifest_file' - priority: 5 - 'ScanJavascript': - - negative: - flavors: - - 'text/html' - - 'html_file' - positive: - flavors: - - 'javascript_file' - - 'text/javascript' - priority: 5 - options: - beautify: True - 'ScanJpeg': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - priority: 5 - 'ScanJson': - - positive: - flavors: - - 'application/json' - - 'json_file' - priority: 5 - 'ScanLibarchive': - - positive: - flavors: - - 'application/vnd.ms-cab-compressed' - - 'cab_file' - - 'application/x-7z-compressed' - - '_7zip_file' - - 'application/x-cpio' - - 'cpio_file' - - 'application/x-xar' - - 'xar_file' - - 'arj_file' - - 'iso_file' - - 'application/x-debian-package' - - 'debian_package_file' - priority: 5 - options: - limit: 1000 - 'ScanLzma': - - positive: - flavors: - - 'application/x-lzma' - - 'lzma_file' - - 'application/x-xz' - - 'xz_file' - priority: 5 - 'ScanMacho': - - positive: - flavors: - - 'application/x-mach-binary' - - 'macho_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanOcr': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - priority: 5 - options: - extract_text: False - tmp_directory: '/dev/shm/' - 'ScanOle': - - positive: - flavors: - - 'application/CDFV2' - - 'application/msword' - - 'olecf_file' - priority: 5 - 'ScanPdf': - - positive: - flavors: - - 'application/pdf' - - 'pdf_file' - priority: 5 - options: - extract_text: False - limit: 2000 - 'ScanPe': - - positive: - flavors: - - 'application/x-dosexec' - - 'mz_file' - priority: 5 - 'ScanPgp': - - positive: - flavors: - - 'application/pgp-keys' - - 'pgp_file' - priority: 5 - 'ScanPhp': - - positive: - flavors: - - 'text/x-php' - - 'php_file' - priority: 5 - 'ScanPkcs7': - - positive: - flavors: - - 'pkcs7_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanPlist': - - positive: - flavors: - - 'bplist_file' - - 'plist_file' - priority: 5 - options: - keys: - - 'KeepAlive' - - 'Label' - - 'NetworkState' - - 'Program' - - 'ProgramArguments' - - 'RunAtLoad' - - 'StartInterval' - 'ScanRar': - - positive: - flavors: - - 'application/x-rar' - - 'rar_file' - priority: 5 - options: - limit: 1000 - 'ScanRpm': - - positive: - flavors: - - 'application/x-rpm' - - 'rpm_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanRtf': - - positive: - flavors: - - 'text/rtf' - - 'rtf_file' - priority: 5 - options: - limit: 1000 - 'ScanRuby': - - positive: - flavors: - - 'text/x-ruby' - priority: 5 - 'ScanSwf': - - positive: - flavors: - - 'application/x-shockwave-flash' - - 'fws_file' - - 'cws_file' - - 'zws_file' - priority: 5 - 'ScanTar': - - positive: - flavors: - - 'application/x-tar' - - 'tar_file' - priority: 5 - options: - limit: 1000 - 'ScanTnef': - - positive: - flavors: - - 'application/vnd.ms-tnef' - - 'tnef_file' - priority: 5 - 'ScanUpx': - - positive: - flavors: - - 'upx_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanUrl': - - negative: - flavors: - - 'javascript_file' - positive: - flavors: - - 'text/plain' - priority: 5 - 'ScanVb': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - 'ScanVba': - - positive: - flavors: - - 'mhtml_file' - - 'application/msword' - - 'olecf_file' - - 'wordml_file' - priority: 5 - options: - analyze_macros: True - 'ScanX509': - - positive: - flavors: - - 'x509_der_file' - priority: 5 - options: - type: 'der' - - positive: - flavors: - - 'x509_pem_file' - priority: 5 - options: - type: 'pem' - 'ScanXml': - - positive: - flavors: - - 'application/xml' - - 'text/xml' - - 'xml_file' - - 'mso_file' - - 'soap_file' - priority: 5 - 'ScanYara': - - positive: - flavors: - - '*' - priority: 5 - options: - location: '/etc/yara/' - 'ScanZip': - - positive: - flavors: - - 'application/java-archive' - - 'application/zip' - - 'zip_file' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'ooxml_file' - priority: 5 - options: - limit: 1000 - password_file: '/etc/strelka/passwords.dat' - 'ScanZlib': - - positive: - flavors: - - 'application/zlib' - - 'zlib_file' - priority: 5 diff --git a/salt/strelka/files/backend/backend.yaml.jinja b/salt/strelka/files/backend/backend.yaml.jinja new file mode 100644 index 000000000..151cff550 --- /dev/null +++ b/salt/strelka/files/backend/backend.yaml.jinja @@ -0,0 +1 @@ +{{ BACKENDCONFIG | yaml(false) }} diff --git a/salt/strelka/files/backend/logging.yaml b/salt/strelka/files/backend/logging.yaml deleted file mode 100644 index b21d3c396..000000000 --- a/salt/strelka/files/backend/logging.yaml +++ /dev/null @@ -1,78 +0,0 @@ -version: 1 -formatters: - simple: - format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' - datefmt: '%Y-%m-%d %H:%M:%S' -handlers: - console: - class: logging.StreamHandler - formatter: simple - stream: ext://sys.stdout -root: - level: DEBUG - handlers: [console] -loggers: - OpenSSL: - propagate: 0 - bs4: - propagate: 0 - bz2: - propagate: 0 - chardet: - propagate: 0 - docx: - propagate: 0 - elftools: - propagate: 0 - email: - propagate: 0 - entropy: - propagate: 0 - esprima: - propagate: 0 - gzip: - propagate: 0 - hashlib: - propagate: 0 - json: - propagate: 0 - libarchive: - propagate: 0 - lxml: - propagate: 0 - lzma: - propagate: 0 - macholibre: - propagate: 0 - olefile: - propagate: 0 - oletools: - propagate: 0 - pdfminer: - propagate: 0 - pefile: - propagate: 0 - pgpdump: - propagate: 0 - pygments: - propagate: 0 - pylzma: - propagate: 0 - rarfile: - propagate: 0 - requests: - propagate: 0 - rpmfile: - propagate: 0 - ssdeep: - propagate: 0 - tarfile: - propagate: 0 - tnefparse: - propagate: 0 - yara: - propagate: 0 - zipfile: - propagate: 0 - zlib: - propagate: 0 diff --git a/salt/strelka/files/backend/logging.yaml.jinja b/salt/strelka/files/backend/logging.yaml.jinja new file mode 100644 index 000000000..f3915e9f1 --- /dev/null +++ b/salt/strelka/files/backend/logging.yaml.jinja @@ -0,0 +1 @@ +{{ LOGGINGCONFIG | yaml(false) }} diff --git a/salt/strelka/files/backend/passwords.dat b/salt/strelka/files/backend/passwords.dat deleted file mode 100644 index e9541f540..000000000 --- a/salt/strelka/files/backend/passwords.dat +++ /dev/null @@ -1,2 +0,0 @@ -infected -password diff --git a/salt/strelka/files/backend/passwords.dat.jinja b/salt/strelka/files/backend/passwords.dat.jinja new file mode 100644 index 000000000..45ac9c6e0 --- /dev/null +++ b/salt/strelka/files/backend/passwords.dat.jinja @@ -0,0 +1 @@ +{{ PASSWORDS | join('\n') }} diff --git a/salt/strelka/files/filestream/filestream.yaml b/salt/strelka/files/filestream/filestream.yaml deleted file mode 100644 index 57ef65127..000000000 --- a/salt/strelka/files/filestream/filestream.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -conn: - server: '{{ ip }}:57314' - cert: '' - timeout: - dial: 5s - file: 1m -throughput: - concurrency: 8 - chunk: 32768 - delay: 0s -files: - patterns: - - '/nsm/strelka/unprocessed/*' - delete: false - gatekeeper: true - processed: '/nsm/strelka/processed' -response: - report: 5s -delta: 5s -staging: '/nsm/strelka/staging' diff --git a/salt/strelka/files/filestream/filestream.yaml.jinja b/salt/strelka/files/filestream/filestream.yaml.jinja new file mode 100644 index 000000000..dc435fd9c --- /dev/null +++ b/salt/strelka/files/filestream/filestream.yaml.jinja @@ -0,0 +1 @@ +{{ FILESTREAMCONFIG | yaml(false) }} diff --git a/salt/strelka/files/frontend/frontend.yaml b/salt/strelka/files/frontend/frontend.yaml deleted file mode 100644 index 137966c8e..000000000 --- a/salt/strelka/files/frontend/frontend.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -server: ":57314" -coordinator: - addr: '{{ ip }}:6380' - db: 0 -gatekeeper: - addr: '{{ ip }}:6381' - db: 0 - ttl: 1h -response: - log: "/var/log/strelka/strelka.log" diff --git a/salt/strelka/files/frontend/frontend.yaml.jinja b/salt/strelka/files/frontend/frontend.yaml.jinja new file mode 100644 index 000000000..4cb281736 --- /dev/null +++ b/salt/strelka/files/frontend/frontend.yaml.jinja @@ -0,0 +1 @@ +{{ FRONTENDCONFIG | yaml(false) }} diff --git a/salt/strelka/files/manager/manager.yaml b/salt/strelka/files/manager/manager.yaml deleted file mode 100644 index bd15b6423..000000000 --- a/salt/strelka/files/manager/manager.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{%- if grains.role in ['so-sensor', 'so-heavynode'] -%} - {%- set mainint = salt['pillar.get']('host:mainint') %} - {%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- else %} - {%- set ip = salt['pillar.get']('global:managerip') %} -{%- endif -%} -coordinator: - addr: '{{ ip }}:6380' - db: 0 diff --git a/salt/strelka/files/manager/manager.yaml.jinja b/salt/strelka/files/manager/manager.yaml.jinja new file mode 100644 index 000000000..c91c2e8c8 --- /dev/null +++ b/salt/strelka/files/manager/manager.yaml.jinja @@ -0,0 +1 @@ +{{ MANAGERCONFIG | yaml(false) }} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index d29053229..bec22c1fa 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -8,15 +8,10 @@ {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} -{% import_yaml 'strelka/defaults.yaml' as strelka_config with context %} -{% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %} -{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} -{% if ENGINE == "SURICATA" %} - {% set filecheck_runas = 'suricata' %} -{% else %} - {% set filecheck_runas = 'socore' %} -{% endif %} +{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} +{% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: @@ -33,14 +28,65 @@ strelkarulesdir: - group: 939 - makedirs: True -# Sync dynamic config to conf dir -strelkasync: - file.recurse: - - name: /opt/so/conf/strelka/ - - source: salt://strelka/files +backend_backend_config: + file.managed: + - name: /opt/so/conf/strelka/backend/backend.yaml + - source: salt://strelka/files/backend/backend.yaml.jinja + - template: jinja - user: 939 - group: 939 + - defaults: + BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} + +backend_logging_config: + file.managed: + - name: /opt/so/conf/strelka/backend/logging.yaml + - source: salt://strelka/files/backend/logging.yaml.jinja - template: jinja + - user: 939 + - group: 939 + - defaults: + LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }} + +backend_passwords: + file.managed: + - name: /opt/so/conf/strelka/backend/passwords.dat + - source: salt://strelka/files/backend/passwords.dat.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }} + +filestream_config: + file.managed: + - name: /opt/so/conf/strelka/filestream/filestream.yaml + - source: salt://strelka/files/filestream/filestream.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} + +frontend_config: + file.managed: + - name: /opt/so/conf/strelka/frontend/frontend.yaml + - source: salt://strelka/files/frontend/frontend.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} + +manager_config: + file.managed: + - name: /opt/so/conf/strelka/manager/manager.yaml + - source: salt://strelka/files/manager/manager.yaml.jinja + - template: jinja + - user: 939 + - group: 939 + - defaults: + MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} {% if STRELKA_RULES == 1 %} @@ -51,16 +97,6 @@ strelkarules: - user: 939 - group: 939 - clean: True - - exclude_pat: - {% for IGNOREDRULE in IGNORELIST %} - - {{ IGNOREDRULE }} - {% endfor %} - - {% for IGNOREDRULE in IGNORELIST %} -remove_rule_{{ IGNOREDRULE }}: - file.absent: - - name: /opt/so/conf/strelka/rules/signature-base/{{ IGNOREDRULE }} - {% endfor %} {% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: @@ -133,8 +169,10 @@ filecheck_history: filecheck_conf: file.managed: - name: /opt/so/conf/strelka/filecheck.yaml - - source: salt://strelka/filecheck/filecheck.yaml + - source: salt://strelka/filecheck/filecheck.yaml.jinja - template: jinja + - defaults: + FILECHECKCONFIG: {{ FILECHECKDEFAULTS }} filecheck_script: file.managed: @@ -173,7 +211,7 @@ strelka_coordinator: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} @@ -193,7 +231,7 @@ strelka_gatekeeper: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} - {{ BINDING }} @@ -217,7 +255,7 @@ strelka_frontend: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} - {{ BINDING }} @@ -240,7 +278,7 @@ strelka_backend: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - restart_policy: on-failure append_so-strelka-backend_so-status.conf: @@ -259,7 +297,7 @@ strelka_manager: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} append_so-strelka-manager_so-status.conf: file.append: @@ -278,7 +316,7 @@ strelka_filestream: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} append_so-strelka-filestream_so-status.conf: file.append: diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja new file mode 100644 index 000000000..bf0a29a17 --- /dev/null +++ b/salt/strelka/map.jinja @@ -0,0 +1,20 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% import_yaml 'strelka/defaults.yaml' as STRELKADEFAULTS %} +{% set HOST = GLOBALS.hostname %} + +{% set backend_coordinator_port = STRELKADEFAULTS.strelka.config.backend.backend.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.backend.backend.coordinator.update({'addr': HOST ~ ':' ~ backend_coordinator_port}) %} + +{% set filestream_conn_port = STRELKADEFAULTS.strelka.config.filestream.conn.server.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.filestream.conn.update({'server': HOST ~ ':' ~ filestream_conn_port}) %} + +{% set frontend_coordinator_port = STRELKADEFAULTS.strelka.config.frontend.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.frontend.coordinator.update({'addr': HOST ~ ':' ~ frontend_coordinator_port}) %} + +{% set frontend_gatekeeper_port = STRELKADEFAULTS.strelka.config.frontend.gatekeeper.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.frontend.gatekeeper.update({'addr': HOST ~ ':' ~ frontend_gatekeeper_port}) %} + +{% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %} +{% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} + +{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} From e105e56facbb5c9639c1da1fb30b26ec27a14073 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 13 Mar 2023 13:27:02 +0000 Subject: [PATCH 281/470] Move data stream configuration outside of ILM policy definition --- salt/elasticsearch/defaults.yaml | 57 ++++++++++++++------------------ 1 file changed, 24 insertions(+), 33 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c4098e08c..d47125972 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -84,6 +84,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -108,9 +111,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.auditbeat: index_sorting: False index_template: @@ -138,6 +138,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -162,9 +165,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.cloudbeat: index_sorting: False index_template: @@ -216,9 +216,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.endpoint_security: index_sorting: False index_template: @@ -246,6 +243,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -270,9 +270,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.filebeat: index_sorting: False index_template: @@ -324,9 +321,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.fleet_server: index_sorting: False index_template: @@ -354,6 +348,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -378,9 +375,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.heartbeat: index_sorting: False index_template: @@ -432,9 +426,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent: index_sorting: False index_template: @@ -462,6 +453,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -486,9 +480,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.metricbeat: index_sorting: False index_template: @@ -516,6 +507,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -540,9 +534,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.osquerybeat: index_sorting: False index_template: @@ -570,6 +561,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -594,9 +588,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-logs-elastic_agent.packetbeat: index_sorting: False index_template: @@ -624,6 +615,9 @@ elasticsearch: - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -648,9 +642,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - data_stream: - hidden: false - allow_custom_routing: false so-aws: warm: 7 close: 30 From b3a2680847f4222caa290051859fbd716fea3f63 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 13 Mar 2023 11:41:36 -0400 Subject: [PATCH 282/470] auto-apply firewall rules --- salt/common/tools/sbin/so-firewall | 2 ++ salt/common/tools/sbin/so-firewall-minion | 12 ++++++------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 69808c709..16dcdf729 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -97,6 +97,8 @@ echo "$IP" >> $local_salt_dir/hostgroups/$ROLE if [ "$APPLY" = "true" ]; then echo "Applying the firewall rules" salt-call state.apply firewall queue=True + echo "Firewall rules have been applied... Review logs further if there were errors." + echo "" else echo "Firewall rules will be applied next salt run" fi diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion index e796035f9..19ea26864 100755 --- a/salt/common/tools/sbin/so-firewall-minion +++ b/salt/common/tools/sbin/so-firewall-minion @@ -54,25 +54,25 @@ fi 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') so-firewall --role=manager --ip="$IP" so-firewall --role=sensors --ip="$IP" - so-firewall --apply --role=searchnodes --ip="$IP" + so-firewall --apply=true --role=searchnodes --ip="$IP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') case "$ROLE" in 'SENSOR') - so-firewall --apply --role=sensors --ip="$IP" + so-firewall --apply=true --role=sensors --ip="$IP" ;; 'SEARCHNODE') - so-firewall --apply --role=searchnodes --ip="$IP" + so-firewall --apply=true --role=searchnodes --ip="$IP" ;; 'HEAVYNODE') so-firewall --role=sensors --ip="$IP" - so-firewall --apply --role=heavynodes --ip="$IP" + so-firewall --apply=true --role=heavynodes --ip="$IP" ;; 'IDH') - so-firewall --apply --role=sensors --ip="$IP" + so-firewall --apply=true --role=sensors --ip="$IP" ;; 'RECEIVER') - so-firewall --apply --role=receivers --ip="$IP" + so-firewall --apply=true --role=receivers --ip="$IP" ;; esac ;; From f7be4ba31c48d7b808f9d31b4fa79c5ba09e5f61 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 13 Mar 2023 14:07:17 -0400 Subject: [PATCH 283/470] Remove host field from NIDS logs --- salt/elasticsearch/files/ingest/common.nids | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/common.nids b/salt/elasticsearch/files/ingest/common.nids index df6af7a85..53a3f7b79 100644 --- a/salt/elasticsearch/files/ingest/common.nids +++ b/salt/elasticsearch/files/ingest/common.nids @@ -11,7 +11,7 @@ { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, - { "remove": { "field": ["rule_type", "rest_of_rulename"], "ignore_failure": true } }, + { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } }, { "pipeline": { "name": "common" } } ] } From 9d4e1cc1499dd6b957bee814b650bb48882857af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 13 Mar 2023 16:48:21 -0400 Subject: [PATCH 284/470] jinja for strelka --- salt/manager/files/so-yara-update.jinja | 2 +- salt/manager/init.sls | 2 +- salt/strelka/defaults.yaml | 58 ++++++++++--------------- salt/strelka/init.sls | 13 ++++-- salt/strelka/repos.txt.jinja | 2 + salt/strelka/rules/ignore.txt | 4 -- salt/strelka/rules/repos.txt | 1 - salt/strelka/rules/repos.txt.jinja | 4 -- 8 files changed, 36 insertions(+), 50 deletions(-) create mode 100644 salt/strelka/repos.txt.jinja delete mode 100644 salt/strelka/rules/ignore.txt delete mode 100644 salt/strelka/rules/repos.txt delete mode 100644 salt/strelka/rules/repos.txt.jinja diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja index ea07f72e4..beaa97ab6 100755 --- a/salt/manager/files/so-yara-update.jinja +++ b/salt/manager/files/so-yara-update.jinja @@ -9,7 +9,7 @@ echo "Starting to check for yara rule updates at $(date)..." output_dir="/opt/so/saltstack/default/salt/strelka/rules" mkdir -p $output_dir -repos="$output_dir/repos.txt" +repos="/opt/so/conf/strelka/repos.txt" newcounter=0 excludedcounter=0 excluded_rules=({{ EXCLUDEDRULES | join(' ') }}) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 5f2b0005a..a360fb2c5 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -33,7 +33,7 @@ yara_update_script: - template: jinja - defaults: ISAIRGAP: {{ GLOBALS.airgap }} - EXCLUDEDRULES: {{ STRELKAMERGED.excluded_rules }} + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} strelka_yara_update: cron.present: diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 12f0edda3..cdd75a22d 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -13,7 +13,7 @@ strelka: addr: 'HOST:6380' db: 0 tasting: - mime_db: '' + mime_db: null yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64': @@ -535,37 +535,25 @@ strelka: addr: 'HOST:6380' db: 0 - - - - - - - - - - - - - - - - - excluded_rules: - - apt_flame2_orchestrator.yar - - apt_tetris.yar - - gen_susp_js_obfuscatorio.yar - - gen_webshells.yar - - generic_anomalies.yar - - general_cloaking.yar - - thor_inverse_matches.yar - - yara_mixed_ext_vars.yar - - apt_apt27_hyperbro.yar - - apt_turla_gazer.yar - - gen_google_anomaly.yar - - gen_icon_anomalies.yar - - gen_nvidia_leaked_cert.yar - - gen_sign_anomalies.yar - - gen_susp_xor.yar - - gen_webshells_ext_vars.yar - - configured_vulns_ext_vars.yar + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bec22c1fa..bded9ca70 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -7,7 +7,6 @@ {% if sls in allowed_states %} {% from 'docker/docker.map.jinja' import DOCKER %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% from 'strelka/map.jinja' import STRELKAMERGED %} {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} @@ -35,6 +34,7 @@ backend_backend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }} @@ -65,6 +65,7 @@ filestream_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }} @@ -75,6 +76,7 @@ frontend_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }} @@ -85,10 +87,11 @@ manager_config: - template: jinja - user: 939 - group: 939 + - makedirs: True - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKA_RULES == 1 %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -101,9 +104,11 @@ strelkarules: {% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - - source: salt://strelka/rules/repos.txt.jinja + - name: /opt/so/conf/strelka/repos.txt + - source: salt://strelka/repos.txt.jinja - template: jinja + - defaults: + STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} {% endif %} {% endif %} diff --git a/salt/strelka/repos.txt.jinja b/salt/strelka/repos.txt.jinja new file mode 100644 index 000000000..043a02203 --- /dev/null +++ b/salt/strelka/repos.txt.jinja @@ -0,0 +1,2 @@ +# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section +{{ STRELKAREPOS | join('\n') }} diff --git a/salt/strelka/rules/ignore.txt b/salt/strelka/rules/ignore.txt deleted file mode 100644 index a803f8c28..000000000 --- a/salt/strelka/rules/ignore.txt +++ /dev/null @@ -1,4 +0,0 @@ -generic_anomalies.yar -general_cloaking.yar -thor_inverse_matches.yar -yara_mixed_ext_vars.yar diff --git a/salt/strelka/rules/repos.txt b/salt/strelka/rules/repos.txt deleted file mode 100644 index e26687ea9..000000000 --- a/salt/strelka/rules/repos.txt +++ /dev/null @@ -1 +0,0 @@ -https://github.com/Neo23x0/signature-base diff --git a/salt/strelka/rules/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja deleted file mode 100644 index 7d449f18d..000000000 --- a/salt/strelka/rules/repos.txt.jinja +++ /dev/null @@ -1,4 +0,0 @@ -# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section -{%- for repo in salt['pillar.get']('strelka:repos', {}) %} -{{ repo }} -{%- endfor %} From 8d395dc465911918c3a2633bffb58199b524e7fa Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 13 Mar 2023 20:54:13 +0000 Subject: [PATCH 285/470] Add Elastic Agent default data stream backing indices for management by Curator --- salt/curator/defaults.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 237a50c81..958dd99ef 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -15,6 +15,27 @@ elasticsearch: logs-zeek-so: close: 30 delete: 365 + logs-elastic_agent-metricbeat-default: + close: 30 + delete: 365 + logs-elastic_agent-osquerybeat-default: + close: 30 + delete: 365 + logs-elastic_agent-fleet_server-default: + close: 30 + delete: 365 + logs-elastic_agent-filebeat-default: + close: 30 + delete: 365 + logs-elastic_agent-default: + close: 30 + delete: 365 + logs-system-auth-default: + close: 30 + delete: 365 + logs-system-syslog-default: + close: 30 + delete: 365 so-beats: close: 30 delete: 365 From efc58324999253c158915e710154206ffc671988 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 13 Mar 2023 20:54:38 +0000 Subject: [PATCH 286/470] Add Elastic Agent default log action files --- .../logs-elastic_agent-default-close.yaml | 27 +++++++++++++++++++ .../logs-elastic_agent-default-delete.yaml | 27 +++++++++++++++++++ ...-elastic_agent-filebeat-default-close.yaml | 27 +++++++++++++++++++ ...elastic_agent-filebeat-default-delete.yaml | 27 +++++++++++++++++++ ...stic_agent-fleet_server-default-close.yaml | 27 +++++++++++++++++++ ...tic_agent-fleet_server-default-delete.yaml | 27 +++++++++++++++++++ ...lastic_agent-metricbeat-default-close.yaml | 27 +++++++++++++++++++ ...astic_agent-metricbeat-default-delete.yaml | 27 +++++++++++++++++++ ...astic_agent-osquerybeat-default-close.yaml | 27 +++++++++++++++++++ ...stic_agent-osquerybeat-default-delete.yaml | 27 +++++++++++++++++++ ...logs-elastic_agent-osquerybeat-delete.yaml | 27 +++++++++++++++++++ .../logs-system-auth-default-close.yaml | 27 +++++++++++++++++++ .../logs-system-auth-default-delete.yaml | 27 +++++++++++++++++++ .../action/logs-system-auth-syslog-close.yaml | 27 +++++++++++++++++++ .../logs-system-syslog-default-close.yaml | 27 +++++++++++++++++++ .../logs-system-syslog-default-delete.yaml | 27 +++++++++++++++++++ 16 files changed, 432 insertions(+) create mode 100644 salt/curator/files/action/logs-elastic_agent-default-close.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-default-delete.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml create mode 100644 salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml create mode 100644 salt/curator/files/action/logs-system-auth-default-close.yaml create mode 100644 salt/curator/files/action/logs-system-auth-default-delete.yaml create mode 100644 salt/curator/files/action/logs-system-auth-syslog-close.yaml create mode 100644 salt/curator/files/action/logs-system-syslog-default-close.yaml create mode 100644 salt/curator/files/action/logs-system-syslog-default-delete.yaml diff --git a/salt/curator/files/action/logs-elastic_agent-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-default-close.yaml new file mode 100644 index 000000000..ef03e4ba2 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent default indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml new file mode 100644 index 000000000..dee51c758 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml new file mode 100644 index 000000000..9277b25fd --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent.filebeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Filebeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml new file mode 100644 index 000000000..dfa51f260 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.filebeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml new file mode 100644 index 000000000..6bc2026b9 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml new file mode 100644 index 000000000..6fa775ba8 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml new file mode 100644 index 000000000..a4e38cd8e --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml new file mode 100644 index 000000000..b42e42c83 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs--elastic_agent-metricbeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml new file mode 100644 index 000000000..9243d8cfb --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml new file mode 100644 index 000000000..bce3b7e63 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml new file mode 100644 index 000000000..b46a5fc73 --- /dev/null +++ b/salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml new file mode 100644 index 000000000..7c04a0ca9 --- /dev/null +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system.auth-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system auth indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.auth-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-auth-default-delete.yaml b/salt/curator/files/action/logs-system-auth-default-delete.yaml new file mode 100644 index 000000000..d14d560f3 --- /dev/null +++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system.auth-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.auth-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-auth-syslog-close.yaml b/salt/curator/files/action/logs-system-auth-syslog-close.yaml new file mode 100644 index 000000000..52ddb5eb5 --- /dev/null +++ b/salt/curator/files/action/logs-system-auth-syslog-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} +actions: + 1: + action: close + description: >- + Close import indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml new file mode 100644 index 000000000..a9a697a66 --- /dev/null +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system.syslog-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system syslog indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.syslog-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml new file mode 100644 index 000000000..b46a5fc73 --- /dev/null +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete import indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-import-so.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + From d5bb223235c6ac48cd69691a0b36419ea20cfb70 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:10:52 -0400 Subject: [PATCH 287/470] Fix system syslog delete file configuration --- .../files/action/logs-system-syslog-default-delete.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml index b46a5fc73..36e079408 100644 --- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system.syslog-default'].delete %} actions: 1: action: delete_indices description: >- - Delete import indices when older than {{ DELETE_DAYS }} days. + Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-system.syslog-default.*)$' - filtertype: age source: name direction: older From c2701f1835372a75ed5ccb3fbca41561679fba3f Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:24:12 -0400 Subject: [PATCH 288/470] Fix system syslog default key value --- .../curator/files/action/logs-system-syslog-default-delete.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-delete.yaml b/salt/curator/files/action/logs-system-syslog-default-delete.yaml index 36e079408..1a7d217e9 100644 --- a/salt/curator/files/action/logs-system-syslog-default-delete.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-delete.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-system.syslog-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %} actions: 1: action: delete_indices From 8ade7b85fc450efbd9cb28ee5264b7ccd76213e7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:24:40 -0400 Subject: [PATCH 289/470] Fix system syslog default key value --- salt/curator/files/action/logs-system-syslog-default-close.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-syslog-default-close.yaml b/salt/curator/files/action/logs-system-syslog-default-close.yaml index a9a697a66..3c9482b40 100644 --- a/salt/curator/files/action/logs-system-syslog-default-close.yaml +++ b/salt/curator/files/action/logs-system-syslog-default-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-system.syslog-default'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %} actions: 1: action: close From 785f100132bf6fc21010da55fad47450b1d8b666 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:25:33 -0400 Subject: [PATCH 290/470] Fix system auth default key value --- salt/curator/files/action/logs-system-auth-default-close.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-auth-default-close.yaml b/salt/curator/files/action/logs-system-auth-default-close.yaml index 7c04a0ca9..af9843b35 100644 --- a/salt/curator/files/action/logs-system-auth-default-close.yaml +++ b/salt/curator/files/action/logs-system-auth-default-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-system.auth-default'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} actions: 1: action: close From bab40de58d7becd7e71059cc01fa5933ac36bf32 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:26:05 -0400 Subject: [PATCH 291/470] Fix system auth default key value --- salt/curator/files/action/logs-system-auth-default-delete.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-system-auth-default-delete.yaml b/salt/curator/files/action/logs-system-auth-default-delete.yaml index d14d560f3..9a1cc6a9a 100644 --- a/salt/curator/files/action/logs-system-auth-default-delete.yaml +++ b/salt/curator/files/action/logs-system-auth-default-delete.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-system.auth-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} actions: 1: action: delete_indices From f4112b30c0402bdca6a5711a48bff4c88f4e1473 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:27:06 -0400 Subject: [PATCH 292/470] Fix index reference for system auth default --- salt/curator/files/action/logs-system-auth-syslog-close.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/curator/files/action/logs-system-auth-syslog-close.yaml b/salt/curator/files/action/logs-system-auth-syslog-close.yaml index 52ddb5eb5..f71ffacb5 100644 --- a/salt/curator/files/action/logs-system-auth-syslog-close.yaml +++ b/salt/curator/files/action/logs-system-auth-syslog-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-import-so'].close %} +{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} actions: 1: action: close @@ -17,7 +17,7 @@ actions: filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-import-so.*)$' + value: '^(.ds-logs-system.auth-default.*)$' - filtertype: age source: name direction: older From 486de12ca5eaee9ecbb9c43dbdab7f73db18a476 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 13 Mar 2023 17:27:52 -0400 Subject: [PATCH 293/470] Delete logs-system-auth-syslog-close.yaml --- .../action/logs-system-auth-syslog-close.yaml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 salt/curator/files/action/logs-system-auth-syslog-close.yaml diff --git a/salt/curator/files/action/logs-system-auth-syslog-close.yaml b/salt/curator/files/action/logs-system-auth-syslog-close.yaml deleted file mode 100644 index f71ffacb5..000000000 --- a/salt/curator/files/action/logs-system-auth-syslog-close.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %} -actions: - 1: - action: close - description: >- - Close import indices older than {{cur_close_days}} days. - options: - delete_aliases: False - timeout_override: - continue_if_exception: False - disable_action: False - filters: - - filtertype: pattern - kind: regex - value: '^(.ds-logs-system.auth-default.*)$' - - filtertype: age - source: name - direction: older - timestring: '%Y.%m.%d' - unit: days - unit_count: {{cur_close_days}} - exclude: From 412e5c0402745ee6c287f476c8613ac37c54c64c Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 14 Mar 2023 13:46:08 +0000 Subject: [PATCH 294/470] Add more Elastic Agent Curator action files --- ...logs-system-application-default-close.yaml | 27 +++++++++++++++++++ ...ogs-system-application-default-delete.yaml | 27 +++++++++++++++++++ .../logs-system-security-default-close.yaml | 27 +++++++++++++++++++ .../logs-system-security-default-delete.yaml | 27 +++++++++++++++++++ .../logs-system-system-default-close.yaml | 27 +++++++++++++++++++ .../logs-system-system-default-delete.yaml | 27 +++++++++++++++++++ ...logs-windows-powershell-default-close.yaml | 27 +++++++++++++++++++ ...ogs-windows-powershell-default-delete.yaml | 27 +++++++++++++++++++ ...dows-sysmon_operational-default-close.yaml | 27 +++++++++++++++++++ ...ows-sysmon_operational-default-delete.yaml | 27 +++++++++++++++++++ 10 files changed, 270 insertions(+) create mode 100644 salt/curator/files/action/logs-system-application-default-close.yaml create mode 100644 salt/curator/files/action/logs-system-application-default-delete.yaml create mode 100644 salt/curator/files/action/logs-system-security-default-close.yaml create mode 100644 salt/curator/files/action/logs-system-security-default-delete.yaml create mode 100644 salt/curator/files/action/logs-system-system-default-close.yaml create mode 100644 salt/curator/files/action/logs-system-system-default-delete.yaml create mode 100644 salt/curator/files/action/logs-windows-powershell-default-close.yaml create mode 100644 salt/curator/files/action/logs-windows-powershell-default-delete.yaml create mode 100644 salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml create mode 100644 salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml diff --git a/salt/curator/files/action/logs-system-application-default-close.yaml b/salt/curator/files/action/logs-system-application-default-close.yaml new file mode 100644 index 000000000..76d01ecb4 --- /dev/null +++ b/salt/curator/files/action/logs-system-application-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system application indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.application-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-application-default-delete.yaml b/salt/curator/files/action/logs-system-application-default-delete.yaml new file mode 100644 index 000000000..b15c06fcb --- /dev/null +++ b/salt/curator/files/action/logs-system-application-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.application-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-security-default-close.yaml b/salt/curator/files/action/logs-system-security-default-close.yaml new file mode 100644 index 000000000..9a8cab35c --- /dev/null +++ b/salt/curator/files/action/logs-system-security-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system security indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.security-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-security-default-delete.yaml b/salt/curator/files/action/logs-system-security-default-delete.yaml new file mode 100644 index 000000000..0bac45aeb --- /dev/null +++ b/salt/curator/files/action/logs-system-security-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.security-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-system-system-default-close.yaml b/salt/curator/files/action/logs-system-system-default-close.yaml new file mode 100644 index 000000000..284d6e219 --- /dev/null +++ b/salt/curator/files/action/logs-system-system-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent system system indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.system-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-system-system-default-delete.yaml b/salt/curator/files/action/logs-system-system-default-delete.yaml new file mode 100644 index 000000000..4701d0492 --- /dev/null +++ b/salt/curator/files/action/logs-system-system-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.system-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-windows-powershell-default-close.yaml b/salt/curator/files/action/logs-windows-powershell-default-close.yaml new file mode 100644 index 000000000..7c3cebab3 --- /dev/null +++ b/salt/curator/files/action/logs-windows-powershell-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.powershell-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-windows-powershell-default-delete.yaml b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml new file mode 100644 index 000000000..447f8102b --- /dev/null +++ b/salt/curator/files/action/logs-windows-powershell-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.powershell-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml new file mode 100644 index 000000000..ae98b8939 --- /dev/null +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %} +actions: + 1: + action: close + description: >- + Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days. + options: + delete_aliases: False + timeout_override: + continue_if_exception: False + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-windows.sysmon_operational-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{cur_close_days}} + exclude: diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml new file mode 100644 index 000000000..9a1cc6a9a --- /dev/null +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml @@ -0,0 +1,27 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} +actions: + 1: + action: delete_indices + description: >- + Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days. + options: + ignore_empty_list: True + disable_action: False + filters: + - filtertype: pattern + kind: regex + value: '^(.ds-logs-system.auth-default.*)$' + - filtertype: age + source: name + direction: older + timestring: '%Y.%m.%d' + unit: days + unit_count: {{ DELETE_DAYS }} + exclude: + + From f0d4c16b2ba35a5a7f990b4f4d2e51fdc091ebbd Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 14 Mar 2023 13:49:13 +0000 Subject: [PATCH 295/470] Add more Elastic Agent index keys for Curator --- salt/curator/defaults.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml index 958dd99ef..e1333c3a6 100644 --- a/salt/curator/defaults.yaml +++ b/salt/curator/defaults.yaml @@ -33,9 +33,24 @@ elasticsearch: logs-system-auth-default: close: 30 delete: 365 + logs-system-application-default: + close: 30 + delete: 365 + logs-system-security-default: + close: 30 + delete: 365 + logs-system-system-default: + close: 30 + delete: 365 logs-system-syslog-default: close: 30 delete: 365 + logs-windows-powershell-default: + close: 30 + delete: 365 + logs-windows-sysmon_operational-default: + close: 30 + delete: 365 so-beats: close: 30 delete: 365 From 766e6a79745671dc0cffad8d7c7f92d3071326fc Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 14 Mar 2023 13:51:49 +0000 Subject: [PATCH 296/470] Add 'logs-windows-sysmon_operational-delete' for Windows Sysmon operational indices --- .../logs-windows-sysmon_operational-default-delete.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml index 9a1cc6a9a..a1413bc1c 100644 --- a/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml +++ b/salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml @@ -3,19 +3,19 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %} actions: 1: action: delete_indices description: >- - Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days. + Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days. options: ignore_empty_list: True disable_action: False filters: - filtertype: pattern kind: regex - value: '^(.ds-logs-system.auth-default.*)$' + value: '^(.ds-logs-windows.sysmon_operational-default.*)$' - filtertype: age source: name direction: older From 7c39938e14b8d8c87484d46ad5890fbf5ffff2b8 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 14 Mar 2023 10:48:50 -0400 Subject: [PATCH 297/470] Change 'elastic_agent.filebeat' to 'elastic_agent-filebeat' --- .../files/action/logs-elastic_agent-filebeat-default-close.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml index 9277b25fd..1157f94b2 100644 --- a/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml +++ b/salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set cur_close_days = CURATORMERGED['logs-elastic_agent.filebeat-default'].close %} +{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %} actions: 1: action: close From 8eba3426be104d34dc73247aa2e0ede293cda78e Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 14 Mar 2023 10:51:50 -0400 Subject: [PATCH 298/470] Remove extra dash for 'logs-elastic_agent-metricbeat-default' key --- .../action/logs-elastic_agent-metricbeat-default-delete.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml index b42e42c83..c69e1130a 100644 --- a/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml +++ b/salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml @@ -3,7 +3,7 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -{%- set DELETE_DAYS = CURATORMERGED['logs--elastic_agent-metricbeat-default'].delete %} +{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %} actions: 1: action: delete_indices From b38d5df68407b2ed38a64e4a0a272951a3012a8d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 13:25:51 -0400 Subject: [PATCH 299/470] set default mime_db --- salt/strelka/defaults.yaml | 2 +- salt/strelka/init.sls | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index cdd75a22d..8060f520d 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -13,7 +13,7 @@ strelka: addr: 'HOST:6380' db: 0 tasting: - mime_db: null + mime_db: '/usr/lib/file/magic.mgc' yara_rules: '/etc/strelka/taste/' scanners: 'ScanBase64': diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bded9ca70..80b43a017 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -58,6 +58,14 @@ backend_passwords: - defaults: PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }} +backend_taste: + file.managed: + - name: /opt/so/conf/strelka/backend/taste/taste.yara + - source: salt://strelka/files/backend/taste/taste.yara + - makedirs: True + - user: 939 + - group: 939 + filestream_config: file.managed: - name: /opt/so/conf/strelka/filestream/filestream.yaml From 7cf4e6b03b92a5c08c4833b96a94ed79a78f3728 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 13:59:31 -0400 Subject: [PATCH 300/470] add rules dir, change so-yar-update to save to local/salt/strelka/rules --- salt/manager/files/so-yara-update.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/files/so-yara-update.jinja b/salt/manager/files/so-yara-update.jinja index beaa97ab6..d11ba1a76 100755 --- a/salt/manager/files/so-yara-update.jinja +++ b/salt/manager/files/so-yara-update.jinja @@ -7,7 +7,7 @@ echo "Starting to check for yara rule updates at $(date)..." -output_dir="/opt/so/saltstack/default/salt/strelka/rules" +output_dir="/opt/so/saltstack/local/salt/strelka/rules" mkdir -p $output_dir repos="/opt/so/conf/strelka/repos.txt" newcounter=0 From f9b8c78d74cd0686280412211757a741bc1ba5d3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 14 Mar 2023 14:43:13 -0400 Subject: [PATCH 301/470] move repos to rules dir --- salt/strelka/init.sls | 2 +- salt/strelka/{ => rules}/repos.txt.jinja | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename salt/strelka/{ => rules}/repos.txt.jinja (100%) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 80b43a017..f8b8262b0 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -113,7 +113,7 @@ strelkarules: strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt - - source: salt://strelka/repos.txt.jinja + - source: salt://strelka/rules/repos.txt.jinja - template: jinja - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} diff --git a/salt/strelka/repos.txt.jinja b/salt/strelka/rules/repos.txt.jinja similarity index 100% rename from salt/strelka/repos.txt.jinja rename to salt/strelka/rules/repos.txt.jinja From a36a6d565921c3489a2de61ba4abf13f29ccf3d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 10:40:16 -0400 Subject: [PATCH 302/470] Strelka UI components --- salt/strelka/soc_strelka.yaml | 576 ++++++++++++++++++++++++++++++++++ 1 file changed, 576 insertions(+) create mode 100644 salt/strelka/soc_strelka.yaml diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml new file mode 100644 index 000000000..bd730579d --- /dev/null +++ b/salt/strelka/soc_strelka.yaml @@ -0,0 +1,576 @@ +strelka: + config: + backend: + backend: + logging_cfg: + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + limits: + max_files: + description: Max Files. + readonly: False + global: False + helpLink: strelka.html + time_to_live: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + max_depth: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + distribution: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + scanner: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + coordinator: + addr: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tasting: + mime_db: '/usr/lib/file/magic.mgc' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + yara_rules: '/etc/strelka/taste/' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + scanners: + 'ScanBase64': + - positive: + filename: '^base64_' + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + priority: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + + 'ScanBatch': + - positive: + flavors: + - 'text/x-msdos-batch' + - 'batch_file' + priority: 5 + 'ScanBzip2': + - positive: + flavors: + - 'application/x-bzip2' + - 'bzip2_file' + priority: 5 + 'ScanDocx': + - positive: + flavors: + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + priority: 5 + options: + extract_text: False + 'ScanElf': + - positive: + flavors: + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + priority: 5 + 'ScanEmail': + - positive: + flavors: + - 'application/vnd.ms-outlook' + - 'message/rfc822' + - 'email_file' + priority: 5 + 'ScanEntropy': + - positive: + flavors: + - '*' + priority: 5 + 'ScanExiftool': + - positive: + flavors: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advacned: True + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanGif': + - positive: + flavors: + - 'image/gif' + - 'gif_file' + priority: 5 + 'ScanGzip': + - positive: + flavors: + - 'application/gzip' + - 'application/x-gzip' + - 'gzip_file' + priority: 5 + 'ScanHash': + - positive: + flavors: + - '*' + priority: 5 + 'ScanHeader': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + 'ScanHtml': + - positive: + flavors: + - 'hta_file' + - 'text/html' + - 'html_file' + priority: 5 + options: + parser: "html5lib" + 'ScanIni': + - positive: + filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' + flavors: + - 'ini_file' + priority: 5 + 'ScanJarManifest': + - positive: + flavors: + - 'jar_manifest_file' + priority: 5 + 'ScanJavascript': + - negative: + flavors: + - 'text/html' + - 'html_file' + positive: + flavors: + - 'javascript_file' + - 'text/javascript' + priority: 5 + options: + beautify: True + 'ScanJpeg': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + priority: 5 + 'ScanJson': + - positive: + flavors: + - 'application/json' + - 'json_file' + priority: 5 + 'ScanLibarchive': + - positive: + flavors: + - 'application/vnd.ms-cab-compressed' + - 'cab_file' + - 'application/x-7z-compressed' + - '_7zip_file' + - 'application/x-cpio' + - 'cpio_file' + - 'application/x-xar' + - 'xar_file' + - 'arj_file' + - 'iso_file' + - 'application/x-debian-package' + - 'debian_package_file' + priority: 5 + options: + limit: 1000 + 'ScanLzma': + - positive: + flavors: + - 'application/x-lzma' + - 'lzma_file' + - 'application/x-xz' + - 'xz_file' + priority: 5 + 'ScanMacho': + - positive: + flavors: + - 'application/x-mach-binary' + - 'macho_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanOcr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + priority: 5 + options: + extract_text: False + tmp_directory: '/dev/shm/' + 'ScanOle': + - positive: + flavors: + - 'application/CDFV2' + - 'application/msword' + - 'olecf_file' + priority: 5 + 'ScanPdf': + - positive: + flavors: + - 'application/pdf' + - 'pdf_file' + priority: 5 + options: + extract_text: False + limit: 2000 + 'ScanPe': + - positive: + flavors: + - 'application/x-dosexec' + - 'mz_file' + priority: 5 + 'ScanPgp': + - positive: + flavors: + - 'application/pgp-keys' + - 'pgp_file' + priority: 5 + 'ScanPhp': + - positive: + flavors: + - 'text/x-php' + - 'php_file' + priority: 5 + 'ScanPkcs7': + - positive: + flavors: + - 'pkcs7_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanPlist': + - positive: + flavors: + - 'bplist_file' + - 'plist_file' + priority: 5 + options: + keys: + - 'KeepAlive' + - 'Label' + - 'NetworkState' + - 'Program' + - 'ProgramArguments' + - 'RunAtLoad' + - 'StartInterval' + 'ScanRar': + - positive: + flavors: + - 'application/x-rar' + - 'rar_file' + priority: 5 + options: + limit: 1000 + 'ScanRpm': + - positive: + flavors: + - 'application/x-rpm' + - 'rpm_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanRtf': + - positive: + flavors: + - 'text/rtf' + - 'rtf_file' + priority: 5 + options: + limit: 1000 + 'ScanRuby': + - positive: + flavors: + - 'text/x-ruby' + priority: 5 + 'ScanSwf': + - positive: + flavors: + - 'application/x-shockwave-flash' + - 'fws_file' + - 'cws_file' + - 'zws_file' + priority: 5 + 'ScanTar': + - positive: + flavors: + - 'application/x-tar' + - 'tar_file' + priority: 5 + options: + limit: 1000 + 'ScanTnef': + - positive: + flavors: + - 'application/vnd.ms-tnef' + - 'tnef_file' + priority: 5 + 'ScanUpx': + - positive: + flavors: + - 'upx_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanUrl': + - negative: + flavors: + - 'javascript_file' + positive: + flavors: + - 'text/plain' + priority: 5 + 'ScanVb': + - positive: + flavors: + - 'vb_file' + - 'vbscript' + priority: 5 + 'ScanVba': + - positive: + flavors: + - 'mhtml_file' + - 'application/msword' + - 'olecf_file' + - 'wordml_file' + priority: 5 + options: + analyze_macros: True + 'ScanX509': + - positive: + flavors: + - 'x509_der_file' + priority: 5 + options: + type: 'der' + - positive: + flavors: + - 'x509_pem_file' + priority: 5 + options: + type: 'pem' + 'ScanXml': + - positive: + flavors: + - 'application/xml' + - 'text/xml' + - 'xml_file' + - 'mso_file' + - 'soap_file' + priority: 5 + 'ScanYara': + - positive: + flavors: + - '*' + priority: 5 + options: + location: '/etc/yara/' + 'ScanZip': + - positive: + flavors: + - 'application/java-archive' + - 'application/zip' + - 'zip_file' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'ooxml_file' + priority: 5 + options: + limit: 1000 + password_file: '/etc/strelka/passwords.dat' + 'ScanZlib': + - positive: + flavors: + - 'application/zlib' + - 'zlib_file' + priority: 5 + logging: + version: 1 + formatters: + simple: + format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' + handlers: + console: + class: logging.StreamHandler + formatter: simple + stream: ext://sys.stdout + root: + level: DEBUG + handlers: [console] + loggers: + OpenSSL: + propagate: 0 + bs4: + propagate: 0 + bz2: + propagate: 0 + chardet: + propagate: 0 + docx: + propagate: 0 + elftools: + propagate: 0 + email: + propagate: 0 + entropy: + propagate: 0 + esprima: + propagate: 0 + gzip: + propagate: 0 + hashlib: + propagate: 0 + json: + propagate: 0 + libarchive: + propagate: 0 + lxml: + propagate: 0 + lzma: + propagate: 0 + macholibre: + propagate: 0 + olefile: + propagate: 0 + oletools: + propagate: 0 + pdfminer: + propagate: 0 + pefile: + propagate: 0 + pgpdump: + propagate: 0 + pygments: + propagate: 0 + pylzma: + propagate: 0 + rarfile: + propagate: 0 + requests: + propagate: 0 + rpmfile: + propagate: 0 + ssdeep: + propagate: 0 + tarfile: + propagate: 0 + tnefparse: + propagate: 0 + yara: + propagate: 0 + zipfile: + propagate: 0 + zlib: + propagate: 0 + passwords: + - infected + - password + filestream: + conn: + server: 'HOST:57314' + cert: '' + timeout: + dial: 5s + file: 1m + throughput: + concurrency: 8 + chunk: 32768 + delay: 0s + files: + patterns: + - '/nsm/strelka/unprocessed/*' + delete: false + gatekeeper: true + processed: '/nsm/strelka/processed' + response: + report: 5s + delta: 5s + staging: '/nsm/strelka/staging' + frontend: + server: ":57314" + coordinator: + addr: 'HOST:6380' + db: 0 + gatekeeper: + addr: 'HOST:6381' + db: 0 + ttl: 1h + response: + log: "/var/log/strelka/strelka.log" + manager: + coordinator: + addr: 'HOST:6380' + db: 0 + + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar + From fbefe229c1df363de269f387610c438c5067d614 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Mar 2023 15:27:26 -0400 Subject: [PATCH 303/470] add test support to so-minion --- salt/common/tools/sbin/so-minion | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 03f26c556..b565f5a31 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -23,6 +23,7 @@ if [[ $# -lt 1 ]]; then echo " accept: Accepts a new key and adds the minion files" echo " delete: Removes the key and deletes the minion files" echo " reject: Rejects a key" + echo " test: Ingest test data" echo "" exit 1 fi @@ -75,6 +76,22 @@ function getinstallinfo() { source <(echo $INSTALLVARS) } +function testminion() { + # Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone. + # Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image. + so-test + result=$? + + # If this so-minion script is not running on the given minion ID, run so-test remotely on the sensor as well + local_id=$(lookup_grain id) + if [[ ! "$local_id" =~ "${MINION_ID}_" ]]; then + salt "$MINION_ID" cmd.run 'so-test' + result=$? + fi + + exit $result +} + function listminions() { salt-key list -F --out=json exit $? @@ -277,3 +294,7 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then create$NODETYPE echo "Minion file created for $MINION_ID" fi + +if [[ "$OPERATION" = 'test' ]]; then + testminion +fi \ No newline at end of file From 0d30c14561874e2cead1aced9eb24684576d42bf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:33:33 -0400 Subject: [PATCH 304/470] Re-Work IDSTOOLS --- salt/idh/init.sls | 2 ++ salt/idstools/defaults.yaml | 5 +++++ salt/idstools/etc/rulecat.conf | 39 ++++++++++++++++------------------ 3 files changed, 25 insertions(+), 21 deletions(-) create mode 100644 salt/idstools/defaults.yaml diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 2cf22c358..d1ba5ce33 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -74,6 +74,8 @@ so-idh: - file: opencanary_config - require: - file: opencanary_config + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-idh_so-status.conf: file.append: diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml new file mode 100644 index 000000000..f9f4da55c --- /dev/null +++ b/salt/idstools/defaults.yaml @@ -0,0 +1,5 @@ +idstools: + config: + urls: [] + ruleset: ETOPEN + oinkcode: \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 2b1a8cae1..771b87ff8 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,17 +1,14 @@ -{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} -{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} -{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} -{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} -{%- if ISAIRGAP is sameas true -%} +{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools:config', IDSTOOLSDEFAULTS.config, merge=True) %} +{%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules -{%- if ENGINE == "SURICATA" %} +{%- if GLOBAL.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/filters.rules -{%- endif %} ---url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules +{%- endif %} +--url=http://{{ GLOBALS.manager }}:7788/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf @@ -19,23 +16,23 @@ --suricata-version=6.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules -{%- if ENGINE == "SURICATA" %} +{%- if GLOBALS.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/filters.rules -{%- endif %} +{%- endif %} --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf - {%- if RULESET == 'ETOPEN' %} +{%- if IDSTOOLSMERGED.ruleset == 'ETOPEN' %} --etopen - {%- elif RULESET == 'ETPRO' %} ---etpro={{ OINKCODE }} - {%- elif RULESET == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} - {%- endif %} +{%- elif IDSTOOLSMERGED.ruleset == 'ETPRO' %} +--etpro={{ IDSTOOLSMERGED.oinkcode }} +{%- elif IDSTOOLSMERGED.ruleset == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.oinkcode }} +{%- endif %} {%- endif %} -{%- if URLS != None %} -{%- for URL in URLS %} +{%- if IDSTOOLSMERGED.urls | length > 0 %} +{%- for URL in IDSTOOLSMERGED.urls %} --url={{ URL }} -{%- endfor %} +{%- endfor %} {%- endif %} \ No newline at end of file From b56baf900cf3ba547a045dad5271a9f04d17651b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:44:53 -0400 Subject: [PATCH 305/470] Re-Work IDSTOOLS --- pillar/top.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index 60cface84..0c4c11957 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -51,6 +51,8 @@ base: - adv_global - manager.soc_manager - manager.adv_manager + - idstools.soc_idstools + - idstools.adv_idstools - soc.soc_soc - soc.adv_soc - kratos.soc_kratos @@ -90,6 +92,9 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager + - idstools.soc_idstools + - idstools.adv_idstools - soc.soc_soc - kratos.soc_kratos - kratos.adv_kratos @@ -120,6 +125,8 @@ base: - secrets - healthcheck.standalone - soc_global + - idstools.soc_idstools + - idstools.adv_idstools - kratos.soc_kratos - kratos.adv_kratos - redis.soc_redis @@ -129,6 +136,7 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager - soc.soc_soc - backup.soc_backup - backup.adv_backup @@ -195,6 +203,7 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager - soc.soc_soc - soc_global - adv_global From 02d013c0cc41bd37ee2d8ee4f1319910072a99c3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:47:43 -0400 Subject: [PATCH 306/470] Re-Work IDSTOOLS --- salt/idstools/etc/rulecat.conf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 771b87ff8..8a6840267 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} -{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools:config', IDSTOOLSDEFAULTS.config, merge=True) %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS, merge=True) %} {%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules @@ -23,16 +23,16 @@ --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.ruleset == 'ETOPEN' %} +{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} --etopen -{%- elif IDSTOOLSMERGED.ruleset == 'ETPRO' %} ---etpro={{ IDSTOOLSMERGED.oinkcode }} -{%- elif IDSTOOLSMERGED.ruleset == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.oinkcode }} +{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} +--etpro={{ IDSTOOLSMERGED.config.oinkcode }} +{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} {%- endif %} {%- endif %} -{%- if IDSTOOLSMERGED.urls | length > 0 %} -{%- for URL in IDSTOOLSMERGED.urls %} +{%- if IDSTOOLSMERGED.config.urls | length > 0 %} +{%- for URL in IDSTOOLSMERGED.config.urls %} --url={{ URL }} {%- endfor %} {%- endif %} \ No newline at end of file From 28dc4907755c48d171362e6352e930f9d60abef5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:58:52 -0400 Subject: [PATCH 307/470] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 2 +- setup/so-functions | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index f9f4da55c..2d81c80e5 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -2,4 +2,4 @@ idstools: config: urls: [] ruleset: ETOPEN - oinkcode: \ No newline at end of file + oinkcode: "" \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 78033bda5..e11542639 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1362,8 +1362,7 @@ idstools_pillar() { printf '%s\n'\ "idstools:"\ " config:"\ - " ruleset: '$RULESETUP'"\ - " oinkcode: '$OINKCODE'"\ + " oinkcode: ''"\ " urls: []"\ " sids:"\ " enabled: []"\ From afcd1155bf4996f0b9e730d77d46bdb297ab4e24 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:19:33 -0400 Subject: [PATCH 308/470] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 6 +++++- salt/idstools/etc/rulecat.conf | 2 +- setup/so-functions | 11 ----------- 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index 2d81c80e5..d23f23dd9 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -2,4 +2,8 @@ idstools: config: urls: [] ruleset: ETOPEN - oinkcode: "" \ No newline at end of file + oinkcode: "" + sids: + enabled: [] + isabled: [] + modify: [] \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 8a6840267..fad421243 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} -{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS, merge=True) %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %} {%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules diff --git a/setup/so-functions b/setup/so-functions index e11542639..2f5c8e1a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1359,17 +1359,6 @@ ls_heapsize() { idstools_pillar() { title "Ading IDSTOOLS pillar options" touch $adv_idstools_pillar_file - printf '%s\n'\ - "idstools:"\ - " config:"\ - " oinkcode: ''"\ - " urls: []"\ - " sids:"\ - " enabled: []"\ - " disabled: []"\ - " modify: []"\ - "" > "$idstools_pillar_file" - } soc_pillar() { From d4f5209e392e7ce4c63aebf79fd423277720d096 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:22:54 -0400 Subject: [PATCH 309/470] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index d23f23dd9..e937ebc2d 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -4,6 +4,6 @@ idstools: ruleset: ETOPEN oinkcode: "" sids: - enabled: [] - isabled: [] - modify: [] \ No newline at end of file + enabled: [] + disabled: [] + modify: [] \ No newline at end of file From 3156b1ed0c122a241bd8ab4abc823f0d0b44a0fc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:53:14 -0400 Subject: [PATCH 310/470] Re-Work Backups --- salt/backup/config_backup.sls | 1 + salt/backup/defaults.yaml | 3 ++- salt/backup/soc_backup.yaml | 10 ++++++++++ salt/backup/tools/sbin/so-config-backup.jinja | 3 ++- 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 salt/backup/soc_backup.yaml diff --git a/salt/backup/config_backup.sls b/salt/backup/config_backup.sls index b4eeccfc1..20616f780 100644 --- a/salt/backup/config_backup.sls +++ b/salt/backup/config_backup.sls @@ -19,6 +19,7 @@ config_backup_script: - source: salt://backup/tools/sbin/so-config-backup.jinja - defaults: BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }} + DESTINATION: {{ BACKUP_MERGED.destination }} # Add config backup so_config_backup: diff --git a/salt/backup/defaults.yaml b/salt/backup/defaults.yaml index 9b8d5909d..1aae64910 100644 --- a/salt/backup/defaults.yaml +++ b/salt/backup/defaults.yaml @@ -3,4 +3,5 @@ backup: - /opt/so/saltstack/local - /etc/pki - /etc/salt - - /opt/so/conf/kratos + - /nsm/kratos + destination: "/nsm/backup" \ No newline at end of file diff --git a/salt/backup/soc_backup.yaml b/salt/backup/soc_backup.yaml new file mode 100644 index 000000000..bedecb1ca --- /dev/null +++ b/salt/backup/soc_backup.yaml @@ -0,0 +1,10 @@ +backup: + locations: + description: List of locations to back up to the destination. + helpLink: backup.html + global: True + destination: + description: Directory to store the configuration backups in. + helpLink: backup.html + global: True + \ No newline at end of file diff --git a/salt/backup/tools/sbin/so-config-backup.jinja b/salt/backup/tools/sbin/so-config-backup.jinja index c0e24cd80..23e407653 100755 --- a/salt/backup/tools/sbin/so-config-backup.jinja +++ b/salt/backup/tools/sbin/so-config-backup.jinja @@ -8,7 +8,8 @@ . /usr/sbin/so-common TODAY=$(date '+%Y_%m_%d') -BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar" +BACKUPDIR={{ DESTINATION }} +BACKUPFILE="$BACKUPDIR/so-config-backup-$TODAY.tar" MAXBACKUPS=7 # Create backup dir if it does not exist From f288d0dd6162d0d29c6d85e6297f1643bf7c95f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:58:15 -0400 Subject: [PATCH 311/470] Re-Work Backups --- setup/so-functions | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2f5c8e1a0..88cd8bb6c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1488,9 +1488,6 @@ create_strelka_pillar() { backup_pillar() { title "Create the backup pillar file" touch $adv_backup_pillar_file - printf '%s\n'\ - "backup:"\ - " locations: []" > "$backup_pillar_file" } soctopus_pillar() { From 49df376bcce6bb1b3236256397fd7be8c350d405 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 15 Mar 2023 19:24:03 -0400 Subject: [PATCH 312/470] Remove non-existant Ruby scanner --- salt/strelka/defaults.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 8060f520d..2c3b88513 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -308,11 +308,6 @@ strelka: priority: 5 options: limit: 1000 - 'ScanRuby': - - positive: - flavors: - - 'text/x-ruby' - priority: 5 'ScanSwf': - positive: flavors: From 3ab3e4712ce5474ea381e2da6c49961d606a922b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 16 Mar 2023 09:16:28 -0400 Subject: [PATCH 313/470] remove kilo for merge --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 7f2e97617..197c4d5c2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-kilo +2.4.0 From 53e93f01c6de24f0fedd6595d3173fa359d4bb0b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 09:49:57 -0400 Subject: [PATCH 314/470] Force an update after repo is configured --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index b3b1319a5..d0afbe9f8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1959,6 +1959,7 @@ securityonion_repo() { echo "Syncing Repo" repo_sync_local fi + logCmd "dnf -y update" fi } From a96473554d0c4d60c6a2025d66fb0ebf773eef1e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 16 Mar 2023 12:56:04 -0400 Subject: [PATCH 315/470] Add IDH log ingest --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 4e60bf9ad..8d3d7735a 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -103,3 +103,9 @@ echo echo "Setting up Redis package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }' echo + +# IDH logs +echo +echo "Setting up IDh package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' +echo \ No newline at end of file From d78128dbf4175e2f453bf0e151fa397a2500861b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 16 Mar 2023 13:11:12 -0400 Subject: [PATCH 316/470] Formatting --- salt/common/tools/sbin/so-elastic-fleet-integration-policy-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 8d3d7735a..bc65161fa 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -106,6 +106,6 @@ echo # IDH logs echo -echo "Setting up IDh package policy..." +echo "Setting up IDH package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' echo \ No newline at end of file From 6e3194486c275f0beb6dba0386e2c209ec82a62a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 13:50:22 -0400 Subject: [PATCH 317/470] Force package update before syncing the repo --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index d0afbe9f8..b377a8d15 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,6 +1985,7 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf dnf repolist + logCmd "dnf -c /root/repodownload.conf -y upgrade" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 849e82e39f5170ac1c8cf5a93d707ef083af7c01 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:36:43 -0400 Subject: [PATCH 318/470] Force package updates and curl check fix --- setup/so-functions | 9 +++++---- setup/so-whiptail | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b377a8d15..3e2f55b3f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -139,11 +139,11 @@ check_admin_pass() { check_manager_connection() { # See if you can curl the manager. If not you can either try again or continue info "Checking manager connectivity" - man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) + man_test_err=$(curl -s $MSRVIP:4505 --connect-timeout 5 2>&1) local ret=$? - if [[ $ret != 0 ]]; then + if [[ $ret != 1 ]]; then error "Could not reach $MSRV" whiptail_manager_unreachable fi @@ -1984,8 +1984,9 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf - dnf repolist - logCmd "dnf -c /root/repodownload.conf -y upgrade" + logCmd "dnf repolist" + echo "This is trying to work" + logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" diff --git a/setup/so-whiptail b/setup/so-whiptail index 6123ea97d..bf1463c67 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1143,11 +1143,13 @@ whiptail_reinstall() { read -r -d '' message <<- EOM Setup has detected a previous install. Continuing the install will remove the previous install configuration. + Selecting continue is a destructive action. + Would you like to continue? EOM whiptail --title "$whiptail_title" \ - --yesno "$message" 11 75 \ + --yesno "$message" 13 75 \ --yes-button "Continue" --no-button "Exit" --defaultno local exitstatus=$? From 957467eae0446e86ad7f4aaf9f02c03169789ec0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:41:29 -0400 Subject: [PATCH 319/470] Force package update before syncing the repo --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3e2f55b3f..70562fcf8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,8 +1985,9 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf logCmd "dnf repolist" - echo "This is trying to work" + info "This is trying to work" logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" + info "There should be an update here # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 2b65c1498d856b1427871b777f77c9493807c93c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:45:04 -0400 Subject: [PATCH 320/470] Force package update before syncing the repo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 70562fcf8..5a9af8000 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1987,7 +1987,7 @@ repo_sync_local() { logCmd "dnf repolist" info "This is trying to work" logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" - info "There should be an update here + info "There should be an update here" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From ef4882198a90c29e714136a7ca43ddc82c71aa34 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:48:57 -0400 Subject: [PATCH 321/470] Force package update before syncing the repo --- setup/so-functions | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5a9af8000..3a6d2bbfd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,9 +1985,6 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf logCmd "dnf repolist" - info "This is trying to work" - logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" - info "There should be an update here" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" @@ -2385,7 +2382,7 @@ update_sudoers() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" else retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 From d12367ed751bdef85e735dd18331d58053351518 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:54:00 -0400 Subject: [PATCH 322/470] Force package update before syncing the repo --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3a6d2bbfd..2378e31c5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1959,7 +1959,6 @@ securityonion_repo() { echo "Syncing Repo" repo_sync_local fi - logCmd "dnf -y update" fi } From 2056ce37c6414c46b0961b57206c9829aa59024d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 16:32:41 -0400 Subject: [PATCH 323/470] strelka ui things --- salt/strelka/defaults.yaml | 11 +- salt/strelka/filecheck/filecheck.yaml.jinja | 3 +- salt/strelka/filecheck/map.jinja | 12 - salt/strelka/init.sls | 10 +- salt/strelka/map.jinja | 10 + salt/strelka/soc_strelka.yaml | 953 ++++++++++---------- 6 files changed, 507 insertions(+), 492 deletions(-) delete mode 100644 salt/strelka/filecheck/map.jinja diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 8060f520d..96c8501ce 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -531,10 +531,9 @@ strelka: response: log: "/var/log/strelka/strelka.log" manager: - coordinator: - addr: 'HOST:6380' - db: 0 - + coordinator: + addr: 'HOST:6380' + db: 0 rules: enabled: True repos: @@ -557,3 +556,7 @@ strelka: - gen_susp_xor.yar - gen_webshells_ext_vars.yar - configured_vulns_ext_vars.yar + filecheck: + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja index 95c5abab2..c3ee4ef67 100644 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -1 +1,2 @@ -{{ FILECHECKCONFIG | yaml(false) }} +filecheck: +{{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} diff --git a/salt/strelka/filecheck/map.jinja b/salt/strelka/filecheck/map.jinja deleted file mode 100644 index 670136b45..000000000 --- a/salt/strelka/filecheck/map.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %} - -{% if GLOBALS.md_engine == "SURICATA" %} -{% set extract_path = '/nsm/suricata/extracted' %} -{% set filecheck_runas = 'suricata' %} -{% else %} -{% set extract_path = '/nsm/zeek/extracted/complete' %} -{% set filecheck_runas = 'socore' %} -{% endif %} - -{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index f8b8262b0..8a59b0721 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -99,7 +99,7 @@ manager_config: - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKAMERGED.rules.enabled %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -109,7 +109,7 @@ strelkarules: - group: 939 - clean: True -{% if grains['role'] in GLOBALS.manager_roles %} +{% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -118,8 +118,8 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} strelkadatadir: file.directory: @@ -185,7 +185,7 @@ filecheck_conf: - source: salt://strelka/filecheck/filecheck.yaml.jinja - template: jinja - defaults: - FILECHECKCONFIG: {{ FILECHECKDEFAULTS }} + FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} filecheck_script: file.managed: diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja index bf0a29a17..5df15aa59 100644 --- a/salt/strelka/map.jinja +++ b/salt/strelka/map.jinja @@ -17,4 +17,14 @@ {% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %} {% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} +{% if GLOBALS.md_engine == "SURICATA" %} +{% set extract_path = '/nsm/suricata/extracted' %} +{% set filecheck_runas = 'suricata' %} +{% else %} +{% set extract_path = '/nsm/zeek/extracted/complete' %} +{% set filecheck_runas = 'socore' %} +{% endif %} + +{% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %} + {% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index bd730579d..dbe949817 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -3,574 +3,587 @@ strelka: backend: backend: logging_cfg: - description: Location in the container where the config file is located. + description: Path to the Python logging configuration. readonly: True global: False helpLink: strelka.html advanced: True limits: max_files: - description: Max Files. + description: Number of files the backend will process before shutting down. readonly: False global: False helpLink: strelka.html time_to_live: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). readonly: False global: False helpLink: strelka.html max_depth: - description: Location in the container where the config file is located. + description: Maximum depth that extracted files will be processed by the backend. readonly: False global: False helpLink: strelka.html distribution: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that a single file can be distributed to all scanners. readonly: False global: False helpLink: strelka.html scanner: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). readonly: False global: False helpLink: strelka.html coordinator: addr: - description: Location in the container where the config file is located. + description: Network address of the coordinator. readonly: False global: False helpLink: strelka.html advanced: True - db: - description: Location in the container where the config file is located. + db: + description: Redis database of the coordinator. readonly: False global: False helpLink: strelka.html advanced: True tasting: - mime_db: '/usr/lib/file/magic.mgc' - description: Location in the container where the config file is located. + mime_db: + description: Location of the MIME database used to taste files. readonly: True global: False helpLink: strelka.html advanced: True - yara_rules: '/etc/strelka/taste/' - description: Location in the container where the config file is located. + yara_rules: + description: Location of the directory of YARA files that contains rules used to taste files. readonly: True global: False helpLink: strelka.html advanced: True scanners: - 'ScanBase64': - - positive: - filename: '^base64_' - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - advanced: True - priority: - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - - 'ScanBatch': - - positive: - flavors: - - 'text/x-msdos-batch' - - 'batch_file' - priority: 5 - 'ScanBzip2': - - positive: - flavors: - - 'application/x-bzip2' - - 'bzip2_file' - priority: 5 - 'ScanDocx': - - positive: - flavors: - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - priority: 5 - options: - extract_text: False - 'ScanElf': - - positive: - flavors: - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - priority: 5 - 'ScanEmail': - - positive: - flavors: - - 'application/vnd.ms-outlook' - - 'message/rfc822' - - 'email_file' - priority: 5 - 'ScanEntropy': - - positive: - flavors: - - '*' - priority: 5 - 'ScanExiftool': - - positive: - flavors: - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - advacned: True - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanGif': - - positive: - flavors: - - 'image/gif' - - 'gif_file' - priority: 5 - 'ScanGzip': - - positive: - flavors: - - 'application/gzip' - - 'application/x-gzip' - - 'gzip_file' - priority: 5 - 'ScanHash': - - positive: - flavors: - - '*' - priority: 5 - 'ScanHeader': - - positive: - flavors: - - '*' - priority: 5 - options: - length: 50 - 'ScanHtml': - - positive: - flavors: - - 'hta_file' - - 'text/html' - - 'html_file' - priority: 5 - options: - parser: "html5lib" - 'ScanIni': - - positive: - filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' - flavors: - - 'ini_file' - priority: 5 - 'ScanJarManifest': - - positive: - flavors: - - 'jar_manifest_file' - priority: 5 - 'ScanJavascript': - - negative: - flavors: - - 'text/html' - - 'html_file' - positive: - flavors: - - 'javascript_file' - - 'text/javascript' - priority: 5 - options: - beautify: True - 'ScanJpeg': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - priority: 5 - 'ScanJson': - - positive: - flavors: - - 'application/json' - - 'json_file' - priority: 5 - 'ScanLibarchive': - - positive: - flavors: - - 'application/vnd.ms-cab-compressed' - - 'cab_file' - - 'application/x-7z-compressed' - - '_7zip_file' - - 'application/x-cpio' - - 'cpio_file' - - 'application/x-xar' - - 'xar_file' - - 'arj_file' - - 'iso_file' - - 'application/x-debian-package' - - 'debian_package_file' - priority: 5 - options: - limit: 1000 - 'ScanLzma': - - positive: - flavors: - - 'application/x-lzma' - - 'lzma_file' - - 'application/x-xz' - - 'xz_file' - priority: 5 - 'ScanMacho': - - positive: - flavors: - - 'application/x-mach-binary' - - 'macho_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanOcr': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - priority: 5 - options: - extract_text: False - tmp_directory: '/dev/shm/' - 'ScanOle': - - positive: - flavors: - - 'application/CDFV2' - - 'application/msword' - - 'olecf_file' - priority: 5 - 'ScanPdf': - - positive: - flavors: - - 'application/pdf' - - 'pdf_file' - priority: 5 - options: - extract_text: False - limit: 2000 - 'ScanPe': - - positive: - flavors: - - 'application/x-dosexec' - - 'mz_file' - priority: 5 - 'ScanPgp': - - positive: - flavors: - - 'application/pgp-keys' - - 'pgp_file' - priority: 5 - 'ScanPhp': - - positive: - flavors: - - 'text/x-php' - - 'php_file' - priority: 5 - 'ScanPkcs7': - - positive: - flavors: - - 'pkcs7_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanPlist': - - positive: - flavors: - - 'bplist_file' - - 'plist_file' - priority: 5 - options: - keys: - - 'KeepAlive' - - 'Label' - - 'NetworkState' - - 'Program' - - 'ProgramArguments' - - 'RunAtLoad' - - 'StartInterval' - 'ScanRar': - - positive: - flavors: - - 'application/x-rar' - - 'rar_file' - priority: 5 - options: - limit: 1000 - 'ScanRpm': - - positive: - flavors: - - 'application/x-rpm' - - 'rpm_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanRtf': - - positive: - flavors: - - 'text/rtf' - - 'rtf_file' - priority: 5 - options: - limit: 1000 - 'ScanRuby': - - positive: - flavors: - - 'text/x-ruby' - priority: 5 - 'ScanSwf': - - positive: - flavors: - - 'application/x-shockwave-flash' - - 'fws_file' - - 'cws_file' - - 'zws_file' - priority: 5 - 'ScanTar': - - positive: - flavors: - - 'application/x-tar' - - 'tar_file' - priority: 5 - options: - limit: 1000 - 'ScanTnef': - - positive: - flavors: - - 'application/vnd.ms-tnef' - - 'tnef_file' - priority: 5 - 'ScanUpx': - - positive: - flavors: - - 'upx_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanUrl': - - negative: - flavors: - - 'javascript_file' - positive: - flavors: - - 'text/plain' - priority: 5 - 'ScanVb': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - 'ScanVba': - - positive: - flavors: - - 'mhtml_file' - - 'application/msword' - - 'olecf_file' - - 'wordml_file' - priority: 5 - options: - analyze_macros: True - 'ScanX509': - - positive: - flavors: - - 'x509_der_file' - priority: 5 - options: - type: 'der' - - positive: - flavors: - - 'x509_pem_file' - priority: 5 - options: - type: 'pem' - 'ScanXml': - - positive: - flavors: - - 'application/xml' - - 'text/xml' - - 'xml_file' - - 'mso_file' - - 'soap_file' - priority: 5 - 'ScanYara': - - positive: - flavors: - - '*' - priority: 5 - options: - location: '/etc/yara/' - 'ScanZip': - - positive: - flavors: - - 'application/java-archive' - - 'application/zip' - - 'zip_file' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'ooxml_file' - priority: 5 - options: - limit: 1000 - password_file: '/etc/strelka/passwords.dat' - 'ScanZlib': - - positive: - flavors: - - 'application/zlib' - - 'zlib_file' - priority: 5 + 'ScanBase64': &scannerOptions + description: Configuration options for this scanner. + readonly: False + global: False + helpLink: strelka.html + advanced: True + type: json + multiline: True + 'ScanBatch': *scannerOptions + 'ScanBzip2': *scannerOptions + 'ScanDocx': *scannerOptions + 'ScanElf': *scannerOptions + 'ScanEmail': *scannerOptions + 'ScanEntropy': *scannerOptions + 'ScanExiftool': *scannerOptions + 'ScanGif': *scannerOptions + 'ScanGzip': *scannerOptions + 'ScanHash': *scannerOptions + 'ScanHeader': *scannerOptions + 'ScanHtml': *scannerOptions + 'ScanIni': *scannerOptions + 'ScanJarManifest': *scannerOptions + 'ScanJavascript': *scannerOptions + 'ScanJpeg': *scannerOptions + 'ScanJson': *scannerOptions + 'ScanLibarchive': *scannerOptions + 'ScanLzma': *scannerOptions + 'ScanMacho': *scannerOptions + 'ScanOcr': *scannerOptions + 'ScanOle': *scannerOptions + 'ScanPdf': *scannerOptions + 'ScanPe': *scannerOptions + 'ScanPgp': *scannerOptions + 'ScanPhp': *scannerOptions + 'ScanPkcs7': *scannerOptions + 'ScanPlist': *scannerOptions + 'ScanRar': *scannerOptions + 'ScanRpm': *scannerOptions + 'ScanRtf': *scannerOptions + 'ScanRuby': *scannerOptions + 'ScanSwf': *scannerOptions + 'ScanTar': *scannerOptions + 'ScanTnef': *scannerOptions + 'ScanUpx': *scannerOptions + 'ScanUrl': *scannerOptions + 'ScanVb': *scannerOptions + 'ScanVba': *scannerOptions + 'ScanX509': *scannerOptions + 'ScanXml': *scannerOptions + 'ScanYara': *scannerOptions + 'ScanZip': *scannerOptions + 'ScanZlib': *scannerOptions logging: - version: 1 + version: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True formatters: simple: - format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' - datefmt: '%Y-%m-%d %H:%M:%S' + format: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + datefmt: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True handlers: console: - class: logging.StreamHandler - formatter: simple - stream: ext://sys.stdout + class: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + formatter: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + stream: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True root: - level: DEBUG - handlers: [console] + level: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + handlers: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True loggers: OpenSSL: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True bs4: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True bz2: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True chardet: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True docx: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True elftools: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True email: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True entropy: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True esprima: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True gzip: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True hashlib: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True json: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True libarchive: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True lxml: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True lzma: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True macholibre: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True olefile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True oletools: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pdfminer: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pefile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pgpdump: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pygments: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pylzma: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True rarfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True requests: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True rpmfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True ssdeep: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True tarfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True tnefparse: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True yara: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True zipfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True zlib: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True passwords: - - infected - - password + description: Passwords that will be stored in the password_file used in scanner options. + readonly: False + global: False + helpLink: strelka.html + multiline: True filestream: conn: - server: 'HOST:57314' - cert: '' + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + cert: + description: Local path to the frontend SSL server certificate. + readonly: False + global: False + helpLink: strelka.html + advanced: True timeout: - dial: 5s - file: 1m + dial: + description: Amount of time to wait for the client to dial the server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + file: + description: Amount of time to wait for an individual file to complete a scan. + readonly: False + global: False + helpLink: strelka.html + advanced: True throughput: - concurrency: 8 - chunk: 32768 - delay: 0s + concurrency: + description: Number of concurrent requests to make. + readonly: False + global: False + helpLink: strelka.html + advanced: True + chunk: + description: Size of file chunks that will be sent to the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delay: + description: Artificial sleep between the submission of each chunk. + readonly: False + global: False + helpLink: strelka.html + advanced: True files: patterns: - - '/nsm/strelka/unprocessed/*' - delete: false - gatekeeper: true - processed: '/nsm/strelka/processed' + description: List of glob patterns that determine which files will be sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delete: + description: Boolean that determines if files should be deleted after being sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + gatekeeper: + description: Boolean that determines if events should be pulled from the temporary event cache. + readonly: False + global: False + helpLink: strelka.html + advanced: True + processed: + description: Directory where files will be moved after being submitted for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True response: - report: 5s - delta: 5s - staging: '/nsm/strelka/staging' + report: + description: Frequency at which the frontend reports the number of files processed. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delta: + description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + staging: + description: Directory where files are staged before being sent to the cluster. + readonly: False + global: False + helpLink: strelka.html + advanced: True frontend: - server: ":57314" + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True coordinator: - addr: 'HOST:6380' - db: 0 + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True gatekeeper: - addr: 'HOST:6381' - db: 0 - ttl: 1h + addr: + description: Network address of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + ttl: + description: Time-to-live for events added to the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True response: - log: "/var/log/strelka/strelka.log" + log: + description: Location where worker scan results are logged to. + readonly: False + global: False + helpLink: strelka.html + advanced: True manager: - coordinator: - addr: 'HOST:6380' - db: 0 - + coordinator: + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True rules: - enabled: True + enabled: + description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False repos: - - https://github.com/Neo23x0/signature-base + description: List of repos for so-yara-update to use to download rules. + readonly: False + global: False + helpLink: strelka.html + advanced: False excluded: - - apt_flame2_orchestrator.yar - - apt_tetris.yar - - gen_susp_js_obfuscatorio.yar - - gen_webshells.yar - - generic_anomalies.yar - - general_cloaking.yar - - thor_inverse_matches.yar - - yara_mixed_ext_vars.yar - - apt_apt27_hyperbro.yar - - apt_turla_gazer.yar - - gen_google_anomaly.yar - - gen_icon_anomalies.yar - - gen_nvidia_leaked_cert.yar - - gen_sign_anomalies.yar - - gen_susp_xor.yar - - gen_webshells_ext_vars.yar - - configured_vulns_ext_vars.yar + description: List of rules to exclude so-yara-update from download and propagating to backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False + filecheck: + historypath: + description: The path for previously scanned files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + strelkapath: + description: The path for unprocessed files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + logfile: + description: The path for the filecheck log. + readonly: False + global: False + helpLink: strelka.html + advanced: True From 0dfbbfcf8e13b7a6b8aad9136f9b40253c4d7896 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 16:37:38 -0400 Subject: [PATCH 324/470] fix spacing on filecheck config --- salt/strelka/filecheck/filecheck.yaml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja index c3ee4ef67..1f5453f93 100644 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -1,2 +1,2 @@ filecheck: -{{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} + {{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} From a9b8877268adcd8fd946e5904505a7dc89c688b5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 17:15:52 -0400 Subject: [PATCH 325/470] remove filecheckdefaults from strelka init --- salt/strelka/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8a59b0721..b732dc257 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,7 +9,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} {% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config From dd4461daf44f78478963eb8f67c03457947e24a5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 17:50:19 -0400 Subject: [PATCH 326/470] remove other filecheck map import --- salt/strelka/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index b732dc257..8df8a0774 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,7 +9,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: From bd1eb9c7df07464bcdd8f5cd06547c74169a1d2b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 18:05:38 -0400 Subject: [PATCH 327/470] Change yum to dnf --- salt/repo/client/rocky.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/repo/client/rocky.sls b/salt/repo/client/rocky.sls index a99d3f422..405bba7f6 100644 --- a/salt/repo/client/rocky.sls +++ b/salt/repo/client/rocky.sls @@ -16,13 +16,13 @@ file.absent: - name: {{ REPOPATH }}{{ file }} - onchanges_in: - - cmd: cleanyum + - cmd: cleandnf {% endfor %} {% endif %} -cleanyum: +cleandnf: cmd.run: - - name: 'yum clean all' + - name: 'dnf clean all' - onchanges: - so_repo From 924d598a8afdc176682978971e56955622903478 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Mar 2023 08:38:56 -0400 Subject: [PATCH 328/470] add filecheck_runas --- salt/strelka/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8df8a0774..bbb2bcaf6 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,6 +9,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'strelka/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: From 8f5daa785b82627e4c6bf2322acf44e182cbe799 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Mar 2023 10:14:44 -0400 Subject: [PATCH 329/470] Add next steps to install summary --- setup/so-whiptail | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 6123ea97d..ce11101fb 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1281,14 +1281,25 @@ whiptail_setup_complete() { local accessMessage="" fi - + MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) read -r -d '' message <<- EOM - Finished ${install_type} installation. + ${install_type} initialization is now complete! + + To finish configuration, open the Security Onion Console web interface + and navigate to Administration -> Grid Members. + + Then find this node in the Pending Members list, + click the Review button, and then click the Accept button. + + Node Hostname: $HOSTNAME + Node Fingerprint: + $MINIONFINGERPRINT + $accessMessage - Press the Enter key to exit setup. + Press TAB and then the ENTER key to exit this screen. EOM - whiptail --title "$whiptail_title" --msgbox "$message" 12 75 + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext } whiptail_setup_failed() { From c5b16494d7f3561332e232f02b2a5c4d29e3be8d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 17 Mar 2023 10:21:21 -0400 Subject: [PATCH 330/470] Fix typo and improve formatting in so-whiptail --- setup/so-whiptail | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 8eac58dbe..4ed473381 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -974,9 +974,10 @@ whiptail_manager_unreachable() { read -r -d '' msg <<- EOM Setup is unable to access the manager at this time. - Run the following on the manger: + Run the following on the manager: so-firewall-minion --role=$install_type --ip=$MAINIP + Would you like to retry? EOM whiptail --title "$whiptail_title" --yesno "$msg" 20 75 From 4944365341d3a74feb3a1b019b5bbb096944aaea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:02:02 -0400 Subject: [PATCH 331/470] Change the salt dir for elastic fleet --- salt/allowed_states.map.jinja | 10 +++++----- .../tools/sbin/so-elastic-agent-gen-installers | 4 ++-- .../files/so_agent-installers/readme | 0 salt/{elastic-fleet => elasticfleet}/init.sls | 0 .../install_agent_grid.sls | 2 +- salt/nginx/init.sls | 2 +- salt/ssl/init.sls | 6 +++--- salt/top.sls | 18 +++++++++--------- 8 files changed, 21 insertions(+), 21 deletions(-) rename salt/{elastic-fleet => elasticfleet}/files/so_agent-installers/readme (100%) rename salt/{elastic-fleet => elasticfleet}/init.sls (100%) rename salt/{elastic-fleet => elasticfleet}/install_agent_grid.sls (86%) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 3548a7f0d..a837950e4 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -34,7 +34,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', @@ -105,7 +105,7 @@ 'schedule', 'tcpreplay', 'docker_clean', - 'elastic-fleet' + 'elasticfleet' ], 'so-manager': [ 'salt.master', @@ -118,7 +118,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', @@ -137,7 +137,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'manager', 'idstools', @@ -166,7 +166,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers index 131292dab..128f894e4 100755 --- a/salt/common/tools/sbin/so-elastic-agent-gen-installers +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -24,11 +24,11 @@ mkdir -p /tmp/elastic-agent-workspace for OS in "${CONTAINERGOOS[@]}" do printf "\n\nGenerating $OS Installer..." - cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz + cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz docker run -e CGO_ENABLED=0 -e GOOS=$OS \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ - --mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \ + --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS printf "\n $OS Installer Generated..." done diff --git a/salt/elastic-fleet/files/so_agent-installers/readme b/salt/elasticfleet/files/so_agent-installers/readme similarity index 100% rename from salt/elastic-fleet/files/so_agent-installers/readme rename to salt/elasticfleet/files/so_agent-installers/readme diff --git a/salt/elastic-fleet/init.sls b/salt/elasticfleet/init.sls similarity index 100% rename from salt/elastic-fleet/init.sls rename to salt/elasticfleet/init.sls diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elasticfleet/install_agent_grid.sls similarity index 86% rename from salt/elastic-fleet/install_agent_grid.sls rename to salt/elasticfleet/install_agent_grid.sls index 2f848ac2e..c4c389cea 100644 --- a/salt/elastic-fleet/install_agent_grid.sls +++ b/salt/elasticfleet/install_agent_grid.sls @@ -9,7 +9,7 @@ run_installer: cmd.script: - - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux - args: -token={{ GRIDNODETOKEN }} {% endif %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index e3a13c2f2..52d018354 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -95,7 +95,7 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/:/opt/socore/html/packages + - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index bf31fff27..4a521f12c 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -210,19 +210,19 @@ chownilogstashelasticfleetp8: # Create Symlinks to the keys so I can distribute it to all the things elasticfleetdircerts: file.directory: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs - makedirs: True efkeylink: file.symlink: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8 + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8 - target: /etc/pki/elasticfleet.p8 - user: socore - group: socore efcrtlink: file.symlink: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt - target: /etc/pki/elasticfleet.crt - user: socore - group: socore diff --git a/salt/top.sls b/salt/top.sls index a07e16013..2c6ad266f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -59,7 +59,7 @@ base: {%- endif %} - schedule - docker_clean - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': - match: compound @@ -147,7 +147,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -198,7 +198,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': @@ -215,7 +215,7 @@ base: - logstash {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': @@ -257,7 +257,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -286,7 +286,7 @@ base: - zeek {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_import and G@saltversion:{{saltversion}}': @@ -317,7 +317,7 @@ base: - suricata - zeek - schedule - - elastic-fleet + - elasticfleet - docker_clean '*_receiver and G@saltversion:{{saltversion}}': @@ -333,7 +333,7 @@ base: - redis {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_idh and G@saltversion:{{saltversion}}': @@ -343,7 +343,7 @@ base: - telegraf - firewall - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean - idh From d7b0ed93c9b4d53f482ed75c3eac75f1fb2f8651 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:27:29 -0400 Subject: [PATCH 332/470] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 2378e31c5..96c357c74 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -144,7 +144,7 @@ check_manager_connection() { local ret=$? if [[ $ret != 1 ]]; then - error "Could not reach $MSRV" + info "Could not reach $MSRV" whiptail_manager_unreachable fi } From caa08e9cf0b5b80a79bc3f429b5ecf659e0bc5db Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:44:56 -0400 Subject: [PATCH 333/470] Change the salt dir for elastic fleet --- salt/common/tools/sbin/so-elastic-fleet-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c2d60eca..13eb81ecb 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,13 +97,13 @@ salt-call state.apply elastic-fleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder #docker build -t so-elastic-agent-builder . so-elastic-agent-gen-installers -salt-call state.apply elastic-fleet.install_agent_grid queue=True +salt-call state.apply elasticfleet.install_agent_grid queue=True From 536391bb3bd16133b254b14f5216ae4fc6745a8a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Mar 2023 16:14:29 -0400 Subject: [PATCH 334/470] rename elasticfleet state --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 13eb81ecb..ac2ce47f9 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -91,7 +91,7 @@ printf '%s\n'\ "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State -salt-call state.apply elastic-fleet queue=True +salt-call state.apply elasticfleet queue=True # Load Elastic Fleet integrations /usr/sbin/so-elastic-fleet-integration-policy-load From 792732a8cfe56dc79fe542e6b3a4b9d890098892 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 18 Mar 2023 13:09:46 -0400 Subject: [PATCH 335/470] summary changes --- setup/so-whiptail | 66 +++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 4ed473381..1a286f0f0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1271,38 +1271,54 @@ whiptail_setup_complete() { [ -n "$TESTING" ] && return - if [[ -n "$REDIRECTIT" && $is_manager = true ]]; then + + if [[ $waitforstate ]]; then + # Manager-type Nodes - Install Summary if [[ -n $ALLOW_CIDR ]]; then local sentence_prefix="Access" else local sentence_prefix="Run so-allow to access" fi - local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n" - elif [[ $is_idh ]]; then - local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n" + + read -r -d '' message <<- EOM + ${install_type} setup is now complete! + + ${sentence_prefix} the Security Onion Console web interface by navigating to: + https://${REDIRECTIT} + + Login with the following username and the password: + + SOC Username: ${WEBUSER} + SOC Password: Use the password that was entered during setup + + Press TAB and then the ENTER key to exit this screen. + EOM + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext else - local accessMessage="" + if [[ $is_idh ]]; then + local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n" + else + local accessMessage="" + fi + MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) + read -r -d '' message <<- EOM + ${install_type} initialization is now complete! + + To finish configuration, open the Security Onion Console web interface + and navigate to Administration -> Grid Members. + + Then find this node in the Pending Members list, + click the Review button, and then click the Accept button. + + Node Hostname: $HOSTNAME + Node Fingerprint: + $MINIONFINGERPRINT + $accessMessage + Press TAB and then the ENTER key to exit this screen. + EOM + + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext fi - - MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) - read -r -d '' message <<- EOM - ${install_type} initialization is now complete! - - To finish configuration, open the Security Onion Console web interface - and navigate to Administration -> Grid Members. - - Then find this node in the Pending Members list, - click the Review button, and then click the Accept button. - - Node Hostname: $HOSTNAME - Node Fingerprint: - $MINIONFINGERPRINT - - $accessMessage - Press TAB and then the ENTER key to exit this screen. - EOM - - whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext } whiptail_setup_failed() { From 5b9ff06a8544bb14be22efe799822e98898dc369 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sun, 19 Mar 2023 09:17:12 -0400 Subject: [PATCH 336/470] Setup Kibana default space --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 +++- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index bc65161fa..b87ede0fe 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -17,7 +17,9 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http: # Disable certain Features from showing up in the Kibana UI echo -echo "Setting up default Security Onion package policies for Elastic Agent..." +echo "Disable certain Features from showing up in the Kibana UI" +so-kibana-space-defaults +echo # Suricata logs echo diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 9175a36bc..430054e06 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From cbf7b66729df561e674c675e5fb9acef8e0a4e7b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 07:29:10 -0400 Subject: [PATCH 337/470] Set wget to be quiet --- salt/common/tools/sbin/so-elastic-fleet-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c2d60eca..f76deb317 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,9 +97,9 @@ salt-call state.apply elastic-fleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder From c89bae73190f49ed36313b4c71056aef613d405a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 07:51:44 -0400 Subject: [PATCH 338/470] Wording tweaks --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 1a286f0f0..331c27be3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1283,10 +1283,10 @@ whiptail_setup_complete() { read -r -d '' message <<- EOM ${install_type} setup is now complete! - ${sentence_prefix} the Security Onion Console web interface by navigating to: + ${sentence_prefix} the Security Onion Console (SOC) web interface by navigating to: https://${REDIRECTIT} - Login with the following username and the password: + Then login with the following username and password. SOC Username: ${WEBUSER} SOC Password: Use the password that was entered during setup From cdbbc8e64c9e6c9c5c8cb9c3b706d3d6c56e4f0d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 09:46:57 -0400 Subject: [PATCH 339/470] Add gui components for fleet --- salt/elasticfleet/soc_elasticfleet.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 salt/elasticfleet/soc_elasticfleet.yaml diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml new file mode 100644 index 000000000..0e111feca --- /dev/null +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -0,0 +1,18 @@ +elasticfleet: + server: + endpoints_enrollment: + description: Endpoint enrollment key. + global: True + helpLink: elastic-fleet.html + es_token: + description: Elastic auth token. + global: True + helpLink: elastic-fleet.html + grid_enrollment: + description: Grid enrollment key. + global: True + helpLink: elastic-fleet.html + url: + description: Agent connection URL. + global: True + helpLink: elastic-fleet.html \ No newline at end of file From 43712182a0275d55bc2b15135a41e941dc267ade Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 Mar 2023 10:46:23 -0400 Subject: [PATCH 340/470] update help for clarity --- salt/common/tools/sbin/so-minion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index b565f5a31..d14955e61 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -23,7 +23,7 @@ if [[ $# -lt 1 ]]; then echo " accept: Accepts a new key and adds the minion files" echo " delete: Removes the key and deletes the minion files" echo " reject: Rejects a key" - echo " test: Ingest test data" + echo " test: Perform minion test" echo "" exit 1 fi From da1c501cf7a9c1d7ce13ff1184cac575b5f17363 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 Mar 2023 11:01:07 -0400 Subject: [PATCH 341/470] Move old setup/error logs before any logs are written on a subsequent setup invocation --- setup/so-setup | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 814fc6e79..5356965aa 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -58,6 +58,10 @@ while [[ $# -gt 0 ]]; do esac done +# Preserve old setup/error logs +[ -f "$error_log" ] && mv "$error_log" "$error_log.$(+%Y-%m-%dT%H:%M:%S)" +[ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(+%Y-%m-%dT%H:%M:%S)" + # Let's see what OS we are dealing with here detect_os @@ -134,9 +138,7 @@ title "Checking to see if install has run before" if [[ -f /root/accept_changes ]]; then is_reinstall=true whiptail_reinstall - info "Old setup detected. Moving the last setup.log to setup.log.bak" - mv "$setup_log" "$setup_log.bak" - [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" + info "Old setup detected. Preparing for reinstallation." reinstall_init reset_proxy fi @@ -267,7 +269,7 @@ if ! [[ -f $install_opt_file ]]; then if (whiptail_you_sure); then true else - error "User cancelled setup." + info "User cancelled setup." whiptail_cancel fi # If this is an analyst install lets streamline the process. From 6b8b7df3c23e457d2b75bb53c0c1f4267cbcfa35 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 Mar 2023 11:04:28 -0400 Subject: [PATCH 342/470] Move old setup/error logs before any logs are written on a subsequent setup invocation --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 5356965aa..88a2fd045 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -59,8 +59,8 @@ while [[ $# -gt 0 ]]; do done # Preserve old setup/error logs -[ -f "$error_log" ] && mv "$error_log" "$error_log.$(+%Y-%m-%dT%H:%M:%S)" -[ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(+%Y-%m-%dT%H:%M:%S)" +[ -f "$error_log" ] && mv "$error_log" "$error_log.$(date +%Y-%m-%dT%H:%M:%S)" +[ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(date +%Y-%m-%dT%H:%M:%S)" # Let's see what OS we are dealing with here detect_os From 823dde2856bca31f475ee324a018de1cde0739ad Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 11:17:15 -0400 Subject: [PATCH 343/470] Adjust repo sync --- salt/common/tools/sbin/so-repo-sync | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 9ea697673..c69aa44ad 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -12,5 +12,5 @@ set_os salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup -dnf reposync --norepopath -n -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ +dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo \ No newline at end of file From 325e767587963cdf936e1caa1abcf0718431888c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 12:11:45 -0400 Subject: [PATCH 344/470] Remove hosts file edit --- salt/idh/init.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index d1ba5ce33..2cf22c358 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -74,8 +74,6 @@ so-idh: - file: opencanary_config - require: - file: opencanary_config - - extra_hosts: - - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-idh_so-status.conf: file.append: From c43194665e1d55c2646d523285e8efc9c6c9767f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 20 Mar 2023 12:57:13 -0400 Subject: [PATCH 345/470] add sudo prefix --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 331c27be3..f58f65fa2 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -976,7 +976,7 @@ whiptail_manager_unreachable() { Run the following on the manager: - so-firewall-minion --role=$install_type --ip=$MAINIP + sudo so-firewall-minion --role=$install_type --ip=$MAINIP Would you like to retry? EOM From 9a43cd71e0bccad05935faa6d2280268c879e6eb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 15:19:54 -0400 Subject: [PATCH 346/470] Adjust docker annotations --- salt/docker/soc_docker.yaml | 281 ++++++++++++++++++++++++++++++++++++ 1 file changed, 281 insertions(+) create mode 100644 salt/docker/soc_docker.yaml diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml new file mode 100644 index 000000000..87f23cd64 --- /dev/null +++ b/salt/docker/soc_docker.yaml @@ -0,0 +1,281 @@ +docker: + bip: + description: Bind IP for the default docker interface. + helpLink: docker.html + advanced: True + range: + description: Default docker IP range for containers. + helpLink: docker.html + advanced: True + sobip: + description: Bind IP for the SO docker interface. + helpLink: docker.html + sorange: + description: IP range for the SO docker containers. + helpLink: docker.html + advanced: True + containers: + so-curator: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-dockerregistry: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-elastalert: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-elastic-fleet-package-registry: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-elastic-fleet: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-elasticsearch: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-idh: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-idstools: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-influxdb: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-kibana: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-kratos: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-logstash: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-mysql: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-nginx: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-playbook: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-redis: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-soc: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-soctopus: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-backend: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-coordinator: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-filestream: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-frontend: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-gatekeeper: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True + so-strelka-manager: + final_octet: + description: Last octet of the container IP address. + helpLink: docker.html + readonly: True + advanced: True + port_bindings: + description: List of port bindings for the container. + helpLink: docker.html + advanced: True + multilint: True \ No newline at end of file From 903ad530fe9f6f4c72f7bae29d1e5a8a2a80b76b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 15:28:33 -0400 Subject: [PATCH 347/470] move zeek bpf from zeek pillar to bpf pillar --- pillar/top.sls | 2 ++ salt/bpf/defaults.yaml | 7 ++++--- salt/bpf/soc_bpf.yaml | 3 +++ salt/bpf/zeek.map.jinja | 4 ++++ salt/vars/standalone.map.jinja | 4 +++- salt/zeek/defaults.yaml | 1 - salt/zeek/init.sls | 8 +++++--- 7 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 salt/bpf/zeek.map.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 0c4c11957..c16b556d1 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -19,6 +19,8 @@ base: '*_eval or *_heavynode or *_sensor or *_standalone or *_import': - match: compound - zeek + - bpf.soc_bpf + - bpf.adv_bpf '*_managersearch or *_heavynode': - match: compound diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml index 329537494..e9bc76dfb 100644 --- a/salt/bpf/defaults.yaml +++ b/salt/bpf/defaults.yaml @@ -1,4 +1,5 @@ bpf: - pcap: [] - suricata: [] - zeek: [] \ No newline at end of file + pcap: [] + suricata: [] + zeek: + - ip or not ip diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 86e4c0ee8..0474b2e62 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -1,10 +1,13 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. + multiline: True helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. + multiline: True helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. + multiline: True helpLink: bpf.html diff --git a/salt/bpf/zeek.map.jinja b/salt/bpf/zeek.map.jinja new file mode 100644 index 000000000..1bfb6799e --- /dev/null +++ b/salt/bpf/zeek.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set ZEEKBPF = BPFMERGED.zeek %} diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja index 2efabefed..0e49a327d 100644 --- a/salt/vars/standalone.map.jinja +++ b/salt/vars/standalone.map.jinja @@ -1,12 +1,14 @@ {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} {% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} {% set ROLE_GLOBALS = {} %} {% set STANDALONE_GLOBALS = [ ELASTICSEARCH_GLOBALS, - LOGSTASH_GLOBALS + LOGSTASH_GLOBALS, + SENSOR_GLOBALS ] %} diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml index 18e8a4d8a..a21bf3389 100644 --- a/salt/zeek/defaults.yaml +++ b/salt/zeek/defaults.yaml @@ -102,4 +102,3 @@ zeek: - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc - application/vnd.openxmlformats-officedocument: doc - bpf: [] diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5cc6310b9..41103f399 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -10,6 +10,8 @@ {% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %} {% from "zeek/config.map.jinja" import ZEEKMERGED with context %} +{% from 'bpf/zeek.map.jinja' import ZEEKBPF %} + {% set BPF_STATUS = 0 %} # Zeek Salt State @@ -162,8 +164,8 @@ zeekpacketlosscron: - dayweek: '*' # BPF compilation and configuration -{% if ZEEKMERGED.zeek.bpf %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %} +{% if ZEEKBPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -181,7 +183,7 @@ zeekbpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents: {{ ZEEKMERGED.bpf }} + - contents: {{ ZEEKBPF }} {% else %} - contents: - "ip or not ip" From fe13f90394c7e82a99de424d9a1802e9b5348476 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 15:33:22 -0400 Subject: [PATCH 348/470] Adjust docker annotations --- salt/docker/defaults.yaml | 7 + salt/docker/soc_docker.yaml | 282 ++++-------------------------------- 2 files changed, 34 insertions(+), 255 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index 1fcc114b1..ebb979281 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -19,6 +19,7 @@ docker: - 0.0.0.0:9300:9300/tcp 'so-idstools': final_octet: 25 + port_bindings: [] 'so-influxdb': final_octet: 26 port_bindings: @@ -72,14 +73,17 @@ docker: - 0.0.0.0:7000:7000 'so-strelka-backend': final_octet: 36 + port_bindings: [] 'so-strelka-filestream': final_octet: 37 + port_bindings: [] 'so-strelka-frontend': final_octet: 38 port_bindings: - 0.0.0.0:57314:57314 'so-strelka-manager': final_octet: 39 + port_bindings: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -90,11 +94,14 @@ docker: - 0.0.0.0:6380:6379 'so-elastalert': final_octet: 42 + port_bindings: [] 'so-curator': final_octet: 43 + port_bindings: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: - 0.0.0.0:8080:8080/tcp 'so-idh': final_octet: 45 + port_bindings: [] diff --git a/salt/docker/soc_docker.yaml b/salt/docker/soc_docker.yaml index 87f23cd64..ba0f053fa 100644 --- a/salt/docker/soc_docker.yaml +++ b/salt/docker/soc_docker.yaml @@ -10,272 +10,44 @@ docker: sobip: description: Bind IP for the SO docker interface. helpLink: docker.html + advanced: True sorange: description: IP range for the SO docker containers. helpLink: docker.html advanced: True containers: - so-curator: + so-curator: &dockerOptions final_octet: description: Last octet of the container IP address. helpLink: docker.html readonly: True advanced: True + global: True port_bindings: description: List of port bindings for the container. helpLink: docker.html advanced: True - multilint: True - so-dockerregistry: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-elastalert: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-elastic-fleet-package-registry: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-elastic-fleet: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-elasticsearch: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-idh: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-idstools: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-influxdb: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-kibana: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-kratos: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-logstash: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-mysql: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-nginx: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-playbook: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-redis: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-soc: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-soctopus: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-backend: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-coordinator: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-filestream: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-frontend: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-gatekeeper: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True - so-strelka-manager: - final_octet: - description: Last octet of the container IP address. - helpLink: docker.html - readonly: True - advanced: True - port_bindings: - description: List of port bindings for the container. - helpLink: docker.html - advanced: True - multilint: True \ No newline at end of file + multiline: True + so-dockerregistry: *dockerOptions + so-elastalert: *dockerOptions + so-elastic-fleet-package-registry: *dockerOptions + so-elastic-fleet: *dockerOptions + so-elasticsearch: *dockerOptions + so-idh: *dockerOptions + so-idstools: *dockerOptions + so-influxdb: *dockerOptions + so-kibana: *dockerOptions + so-kratos: *dockerOptions + so-logstash: *dockerOptions + so-mysql: *dockerOptions + so-nginx: *dockerOptions + so-playbook: *dockerOptions + so-redis: *dockerOptions + so-soc: *dockerOptions + so-soctopus: *dockerOptions + so-strelka-backend: *dockerOptions + so-strelka-coordinator: *dockerOptions + so-strelka-filestream: *dockerOptions + so-strelka-frontend: *dockerOptions + so-strelka-gatekeeper: *dockerOptions + so-strelka-manager: *dockerOptions \ No newline at end of file From 8c2a43c073be09ba5ad40888d198ff2f481dd430 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 15:51:48 -0400 Subject: [PATCH 349/470] Adjust docker annotations --- salt/docker/defaults.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index ebb979281..83e30066d 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -19,7 +19,6 @@ docker: - 0.0.0.0:9300:9300/tcp 'so-idstools': final_octet: 25 - port_bindings: [] 'so-influxdb': final_octet: 26 port_bindings: @@ -73,17 +72,14 @@ docker: - 0.0.0.0:7000:7000 'so-strelka-backend': final_octet: 36 - port_bindings: [] 'so-strelka-filestream': final_octet: 37 - port_bindings: [] 'so-strelka-frontend': final_octet: 38 port_bindings: - 0.0.0.0:57314:57314 'so-strelka-manager': final_octet: 39 - port_bindings: [] 'so-strelka-gatekeeper': final_octet: 40 port_bindings: @@ -94,14 +90,11 @@ docker: - 0.0.0.0:6380:6379 'so-elastalert': final_octet: 42 - port_bindings: [] 'so-curator': final_octet: 43 - port_bindings: [] 'so-elastic-fleet-package-registry': final_octet: 44 port_bindings: - 0.0.0.0:8080:8080/tcp 'so-idh': - final_octet: 45 - port_bindings: [] + final_octet: 45 \ No newline at end of file From 22c3a4d398c8f86d4a9ac9a62d3be353d5ffb7e7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 16:08:26 -0400 Subject: [PATCH 350/470] Adjust elasticsearch annotations --- salt/elasticsearch/soc_elasticsearch.yaml | 3 +++ salt/strelka/filecheck/defaults.yaml | 4 ---- 2 files changed, 3 insertions(+), 4 deletions(-) delete mode 100644 salt/strelka/filecheck/defaults.yaml diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 05a812bbc..cd051b5bf 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,4 +1,7 @@ elasticsearch: + esheap: + description: Specify the memory heap size in m for Elasticsearch. + helpLink: elasticsearch.html config: cluster: name: diff --git a/salt/strelka/filecheck/defaults.yaml b/salt/strelka/filecheck/defaults.yaml deleted file mode 100644 index 6f45954d6..000000000 --- a/salt/strelka/filecheck/defaults.yaml +++ /dev/null @@ -1,4 +0,0 @@ -filecheck: - historypath: '/nsm/strelka/history/' - strelkapath: '/nsm/strelka/unprocessed/' - logfile: '/opt/so/log/strelka/filecheck.log' From bb3480cd76face23a614b07d9153a4cb48146888 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 16:20:22 -0400 Subject: [PATCH 351/470] Adjust host annotations --- salt/host/soc_host.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/host/soc_host.yaml diff --git a/salt/host/soc_host.yaml b/salt/host/soc_host.yaml new file mode 100644 index 000000000..8c790a8df --- /dev/null +++ b/salt/host/soc_host.yaml @@ -0,0 +1,7 @@ +host: + mainint: + description: Main interface of the grid host. + helpLink: host.html + mainip: + description: Main IP address of the grid host. + helpLink: host.html \ No newline at end of file From 0bb2fd7d45bc61b03499380efe5d06cde0bae48d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 16:50:18 -0400 Subject: [PATCH 352/470] Adjust manager annotations --- salt/manager/soc_manager.yaml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 salt/manager/soc_manager.yaml diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml new file mode 100644 index 000000000..10d48e121 --- /dev/null +++ b/salt/manager/soc_manager.yaml @@ -0,0 +1,17 @@ +manager: + elastalert: + description: Enable elastalert 1=enabled 0=disabled. + global: True + helpLink: manager.html + no_proxy: String of hosts to ignore the proxy settings for. + description: + global: True + helpLink: manager.html + playbook: + description: Enable playbook 1=enabled 0=disabled. + global: True + helpLink: manager.html + proxy: + description: Proxy server to use for updates. + global: True + helpLink: manager.html \ No newline at end of file From 27fdad4a25f2bdb6fc225fb21e78b9a64d2412fb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 16:52:22 -0400 Subject: [PATCH 353/470] Adjust manager annotations --- salt/manager/soc_manager.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index 10d48e121..68b3b53cf 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -1,6 +1,6 @@ manager: elastalert: - description: Enable elastalert 1=enabled 0=disabled. + description: Enable elastalert 1 enabled 0 disabled. global: True helpLink: manager.html no_proxy: String of hosts to ignore the proxy settings for. @@ -8,7 +8,7 @@ manager: global: True helpLink: manager.html playbook: - description: Enable playbook 1=enabled 0=disabled. + description: Enable playbook 1 enabled 0 disabled. global: True helpLink: manager.html proxy: From df036206a8855bc0813c6b52aabeefbe2762c333 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 16:53:25 -0400 Subject: [PATCH 354/470] Fix Kratos parsing --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 2 +- salt/elasticsearch/files/ingest/kratos | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index b87ede0fe..7930e05d6 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -73,7 +73,7 @@ echo # Kratos logs echo echo "Setting up Kratos package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}' echo # RITA Logs diff --git a/salt/elasticsearch/files/ingest/kratos b/salt/elasticsearch/files/ingest/kratos index f8dcf53e0..9551dad24 100644 --- a/salt/elasticsearch/files/ingest/kratos +++ b/salt/elasticsearch/files/ingest/kratos @@ -1,7 +1,9 @@ { "description" : "kratos", "processors" : [ - { "set": { "field": "event.dataset", "value": "access" } }, + {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}}, + {"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}}, + {"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }}, { "pipeline": { "name": "common" } } ] -} +} \ No newline at end of file From a6e34ae1d71dd0c7168d449e9a3db340588c614e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 16:54:57 -0400 Subject: [PATCH 355/470] Adjust manager annotations --- salt/manager/soc_manager.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index 68b3b53cf..e6e58e524 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -1,14 +1,14 @@ manager: elastalert: - description: Enable elastalert 1 enabled 0 disabled. + description: Enable elastalert 1=enabled 0=disabled. global: True helpLink: manager.html - no_proxy: String of hosts to ignore the proxy settings for. - description: + no_proxy: + description: String of hosts to ignore the proxy settings for. global: True helpLink: manager.html playbook: - description: Enable playbook 1 enabled 0 disabled. + description: Enable playbook 1=enabled 0=disabled. global: True helpLink: manager.html proxy: From 252afa84996671269932622f86e03cefe79fd356 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 17:10:34 -0400 Subject: [PATCH 356/470] bpf for pcap --- salt/bpf/pcap.map.jinja | 4 ++++ salt/bpf/soc_bpf.yaml | 3 +++ salt/pcap/init.sls | 8 ++++---- 3 files changed, 11 insertions(+), 4 deletions(-) create mode 100644 salt/bpf/pcap.map.jinja diff --git a/salt/bpf/pcap.map.jinja b/salt/bpf/pcap.map.jinja new file mode 100644 index 000000000..a160f2f7a --- /dev/null +++ b/salt/bpf/pcap.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set PCAPBPF = BPFMERGED.pcap %} diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml index 0474b2e62..379eaa022 100644 --- a/salt/bpf/soc_bpf.yaml +++ b/salt/bpf/soc_bpf.yaml @@ -2,12 +2,15 @@ bpf: pcap: description: List of BPF filters to apply to PCAP. multiline: True + forcedType: "[]string" helpLink: bpf.html suricata: description: List of BPF filters to apply to Suricata. multiline: True + forcedType: "[]string" helpLink: bpf.html zeek: description: List of BPF filters to apply to Zeek. multiline: True + forcedType: "[]string" helpLink: bpf.html diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 401b5d616..73b384a53 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -9,8 +9,8 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} {% from "pcap/config.map.jinja" import PCAPMERGED with context %} -{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %} +{% from 'bpf/pcap.map.jinja' import PCAPBPF %} + {% set BPF_COMPILED = "" %} # PCAP Section @@ -33,8 +33,8 @@ stenoconfdir: - group: 939 - makedirs: True -{% if BPF_STENO %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %} +{% if PCAPBPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} {% else %} From eb61b0c98fceb6ffd741d265ffb214fb4d44c1d4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 17:10:36 -0400 Subject: [PATCH 357/470] Adjust sensor annotations --- salt/sensor/soc_sensor.yaml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/sensor/soc_sensor.yaml diff --git a/salt/sensor/soc_sensor.yaml b/salt/sensor/soc_sensor.yaml new file mode 100644 index 000000000..61466b2b1 --- /dev/null +++ b/salt/sensor/soc_sensor.yaml @@ -0,0 +1,7 @@ +sensor: + interface: + description: Main sensor monitoring interface. + helpLink: sensor.html + mtu: + description: Main IP address of the grid host. + helpLink: host.html \ No newline at end of file From 0fff3a5a11c52a479d1658ef6638d3d2135fb1f7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 20 Mar 2023 17:31:56 -0400 Subject: [PATCH 358/470] suricata bpf --- salt/bpf/suricata.map.jinja | 4 ++++ salt/suricata/init.sls | 12 +++++------- 2 files changed, 9 insertions(+), 7 deletions(-) create mode 100644 salt/bpf/suricata.map.jinja diff --git a/salt/bpf/suricata.map.jinja b/salt/bpf/suricata.map.jinja new file mode 100644 index 000000000..bec763783 --- /dev/null +++ b/salt/bpf/suricata.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %} +{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %} + +{% set SURICATABPF = BPFMERGED.suricata %} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 6ef8c690e..07350d8e1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -9,11 +9,9 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from "suricata/map.jinja" import SURICATAOPTIONS with context %} -{% set interface = salt['pillar.get']('sensor:interface') %} -{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %} +{% from 'bpf/suricata.map.jinja' import SURICATABPF %} {% set BPF_STATUS = 0 %} -{# import_yaml 'suricata/files/defaults2.yaml' as suricata #} {% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %} {% from "suricata/map.jinja" import START with context %} @@ -109,8 +107,8 @@ surithresholding: - template: jinja # BPF compilation and configuration -{% if BPF_NIDS %} - {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} +{% if SURICATABPF %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %} {% if BPF_CALC['stderr'] == "" %} {% set BPF_STATUS = 1 %} {% else %} @@ -128,7 +126,7 @@ suribpf: - user: 940 - group: 940 {% if BPF_STATUS %} - - contents_pillar: nids:bpf + - contents: {{ SURICATABPF }} {% else %} - contents: - "" @@ -141,7 +139,7 @@ so-suricata: - start: {{ SURICATAOPTIONS.start }} - privileged: True - environment: - - INTERFACE={{ interface }} + - INTERFACE={{ GLOBALS.sensor.interface }} - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro From 507142cde4b14393c64062a4a0ca285d216508a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 20:02:23 -0400 Subject: [PATCH 359/470] Adjust patch annotations --- salt/patch/soc_patch.yaml | 79 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 salt/patch/soc_patch.yaml diff --git a/salt/patch/soc_patch.yaml b/salt/patch/soc_patch.yaml new file mode 100644 index 000000000..452cd1916 --- /dev/null +++ b/salt/patch/soc_patch.yaml @@ -0,0 +1,79 @@ +patch: + os: + enabled: + description: Enable OS updates. + helpLink: patch.html + schedule_to_run: + description: Currently running schedule for updates. + helpLink: patch.html + schedules: + auto: + splay: &splayOptions + description: Seconds to splay updates. + helpLink: patch.html + schedule: + hours: + description: Run the OS updates every X hours. + helpLink: patch.html + monday: + splay: *splayOptions + schedule: + Monday: &dayOptions + description: List of times to run OS Updates on this day. + multiline: True + tuesday: + splay: *splayOptions + schedule: + Tuesday: *dayOptions + wednesday: + splay: *splayOptions + schedule: + Wednesday: *dayOptions + thursday: + splay: *splayOptions + schedule: + Thursday: *dayOptions + friday: + splay: *splayOptions + schedule: + Friday: *dayOptions + saturday: + splay: *splayOptions + schedule: + Saturday: *dayOptions + sunday: + splay: *splayOptions + schedule: + Sunday: *dayOptions + daily: + splay: *splayOptions + schedule: + Monday: &dailyOptions + description: List of times to apply OS patches daily. + multiline: True + helpLink: True + Tuesday: *dailyOptions + Wednesday: *dailyOptions + Thursday: *dailyOptions + Friday: *dailyOptions + Saturday: *dailyOptions + Sunday: *dailyOptions + weekdays: + splay: *splayOptions + schedule: + Monday: &weekdayOptions + description: List of times for weekdays. + multiline: True + helplink: patch.html + Tuesday: *weekdayOptions + Wednesday: *weekdayOptions + Thursday: *weekdayOptions + Friday: *weekdayOptions + weekends: + splay: *splayOptions + schedule: + Saturday: &weekendOptions + description: + multiline: true + helpLink: patch.html + Sunday: *weekendOptions \ No newline at end of file From f810f9cbf08caabc5c7d7586e8a663e502f334e0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 20:12:26 -0400 Subject: [PATCH 360/470] Adjust patch annotations --- salt/elasticfleet/soc_elasticfleet.yaml | 3 +++ salt/sensoroni/soc_sensoroni.yaml | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 salt/sensoroni/soc_sensoroni.yaml diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 0e111feca..a7e9fbe4a 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -4,14 +4,17 @@ elasticfleet: description: Endpoint enrollment key. global: True helpLink: elastic-fleet.html + sensitive: True es_token: description: Elastic auth token. global: True helpLink: elastic-fleet.html + sensitive: True grid_enrollment: description: Grid enrollment key. global: True helpLink: elastic-fleet.html + sensitive: True url: description: Agent connection URL. global: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml new file mode 100644 index 000000000..abe3dda09 --- /dev/null +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -0,0 +1,18 @@ +sensoroni: + node_checkin_interval_ms: + description: Interval in ms to checkin to the soc_host. + advanced: True + helpLink: sensoroni.html + node_description: + description: Description of the specific node. + helpLink: sensoroni.html + sensoronikey: + description: Shared key for sensoroni authentication. + helpLink: sensoroni.html + global: True + sensitive: True + soc_host: + description: Host for sensoroni agents to connect to. + helpLink: sensoroni.html + global: True + advanced: True \ No newline at end of file From 01d470a4262e6b49170848000673094fd474b2e8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 20:13:29 -0400 Subject: [PATCH 361/470] Adjust patch annotations --- salt/sensoroni/soc_sensoroni.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index abe3dda09..6f6a75452 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -11,6 +11,7 @@ sensoroni: helpLink: sensoroni.html global: True sensitive: True + advanced: True soc_host: description: Host for sensoroni agents to connect to. helpLink: sensoroni.html From bc7261acfe636dd5646347fd5f7b717aebd51e23 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 20:16:43 -0400 Subject: [PATCH 362/470] Adjust patch annotations --- salt/elasticfleet/soc_elasticfleet.yaml | 6 +++++- salt/soctopus/soc_soctopus.yaml | 7 +++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 salt/soctopus/soc_soctopus.yaml diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index a7e9fbe4a..4d523c548 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -5,17 +5,21 @@ elasticfleet: global: True helpLink: elastic-fleet.html sensitive: True + advanced: True es_token: description: Elastic auth token. global: True helpLink: elastic-fleet.html sensitive: True + advanced: True grid_enrollment: description: Grid enrollment key. global: True helpLink: elastic-fleet.html sensitive: True + advanced: True url: description: Agent connection URL. global: True - helpLink: elastic-fleet.html \ No newline at end of file + helpLink: elastic-fleet.html + advanced: True \ No newline at end of file diff --git a/salt/soctopus/soc_soctopus.yaml b/salt/soctopus/soc_soctopus.yaml new file mode 100644 index 000000000..02991d295 --- /dev/null +++ b/salt/soctopus/soc_soctopus.yaml @@ -0,0 +1,7 @@ +soctopus: + playbook: + rulesets: + description: List of playbook rulesets + advanced: True + helplink: soctopus.html + global: True \ No newline at end of file From 64904406b6517a0051cf9e477610e7e20f701276 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 08:41:48 -0400 Subject: [PATCH 363/470] Adjust annotations --- salt/soctopus/soc_soctopus.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soctopus/soc_soctopus.yaml b/salt/soctopus/soc_soctopus.yaml index 02991d295..033405345 100644 --- a/salt/soctopus/soc_soctopus.yaml +++ b/salt/soctopus/soc_soctopus.yaml @@ -1,7 +1,7 @@ soctopus: playbook: rulesets: - description: List of playbook rulesets + description: List of playbook rulesets. advanced: True helplink: soctopus.html global: True \ No newline at end of file From 444988f2875430e5f1f570c841bb0a8569b3e929 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 08:48:02 -0400 Subject: [PATCH 364/470] Adjust annotations --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index cd051b5bf..d7c310687 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,6 +1,6 @@ elasticsearch: esheap: - description: Specify the memory heap size in m for Elasticsearch. + description: Specify the memory heap size in (m)egabytes for Elasticsearch. helpLink: elasticsearch.html config: cluster: From a3d38dd2e756be66882c949cd6d8d9f9fb3239b2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 09:49:28 -0400 Subject: [PATCH 365/470] Rework IDH phase 1 --- salt/idh/defaults.yaml | 90 +++++++++++++++ salt/idh/defaults/defaults.yaml | 37 ------- salt/idh/defaults/ftp.defaults.yaml | 6 - salt/idh/defaults/git.defaults.yaml | 5 - salt/idh/defaults/http.defaults.yaml | 12 -- salt/idh/defaults/httpproxy.defaults.yaml | 11 -- salt/idh/defaults/mssql.defaults.yaml | 6 - salt/idh/defaults/mysql.defaults.yaml | 6 - salt/idh/defaults/ntp.defaults.yaml | 5 - salt/idh/defaults/redis.defaults.yaml | 5 - salt/idh/defaults/sip.defaults.yaml | 5 - salt/idh/defaults/smb.defaults.yaml | 5 - salt/idh/defaults/snmp.defaults.yaml | 5 - salt/idh/defaults/ssh.defaults.yaml | 6 - salt/idh/defaults/telnet.defaults.yaml | 11 -- salt/idh/defaults/tftp.defaults.yaml | 5 - salt/idh/defaults/vnc.defaults.yaml | 5 - salt/idh/soc_idh.yaml | 127 ++++++++++++++++++++++ 18 files changed, 217 insertions(+), 135 deletions(-) create mode 100644 salt/idh/defaults.yaml delete mode 100644 salt/idh/defaults/defaults.yaml delete mode 100644 salt/idh/defaults/ftp.defaults.yaml delete mode 100644 salt/idh/defaults/git.defaults.yaml delete mode 100644 salt/idh/defaults/http.defaults.yaml delete mode 100644 salt/idh/defaults/httpproxy.defaults.yaml delete mode 100644 salt/idh/defaults/mssql.defaults.yaml delete mode 100644 salt/idh/defaults/mysql.defaults.yaml delete mode 100644 salt/idh/defaults/ntp.defaults.yaml delete mode 100644 salt/idh/defaults/redis.defaults.yaml delete mode 100644 salt/idh/defaults/sip.defaults.yaml delete mode 100644 salt/idh/defaults/smb.defaults.yaml delete mode 100644 salt/idh/defaults/snmp.defaults.yaml delete mode 100644 salt/idh/defaults/ssh.defaults.yaml delete mode 100644 salt/idh/defaults/telnet.defaults.yaml delete mode 100644 salt/idh/defaults/tftp.defaults.yaml delete mode 100644 salt/idh/defaults/vnc.defaults.yaml create mode 100644 salt/idh/soc_idh.yaml diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml new file mode 100644 index 000000000..6ace873b7 --- /dev/null +++ b/salt/idh/defaults.yaml @@ -0,0 +1,90 @@ +idh: + opencanary: + config: + logger: + class: PyLogger + kwargs: + formatters: + plain: + format: '%(message)s' + handlers: + console: + class: logging.StreamHandler + stream: ext://sys.stdout + file: + class: logging.FileHandler + filename: /var/tmp/opencanary.log + portscan.enabled: false + portscan.logfile: /var/log/kern.log + portscan.synrate: 5 + portscan.nmaposrate: 5 + portscan.lorate: 3 + tcpbanner.maxnum: 10 + tcpbanner.enabled: false + tcpbanner_1.enabled: false + tcpbanner_1.port: 8001 + tcpbanner_1.datareceivedbanner: '' + tcpbanner_1.initbanner: '' + tcpbanner_1.alertstring.enabled: false + tcpbanner_1.keep_alive.enabled: false + tcpbanner_1.keep_alive_secret: '' + tcpbanner_1.keep_alive_probes: 11 + tcpbanner_1.keep_alive_interval: 300 + tcpbanner_1.keep_alive_idle: 300 + ftp.enabled: true + ftp.port: 21 + ftp.banner: FTP server ready + git.enabled: true + git.port: 9418 + http.banner: Apache/2.2.34 (Ubuntu) + http.enabled: true + http.port: 80 + http.skin: nasLogin + http.skin.list: + - desc: Plain HTML Login + name: basicLogin + - desc: Synology NAS Login + name: nasLogin + httpproxy.enabled: true + httpproxy.port: 8080 + httpproxy.skin: squid + httproxy.skin.list: + - desc: Squid + name: squid + - desc: Microsoft ISA Server Web Proxy + name: ms-isa + mssql.enabled: true + mssql.version: '2012' + mssql.port: 1433 + mysql.enabled: true + mysql.port: 3306 + mysql.banner: 5.5.43-0ubuntu0.14.04.1 + ntp.enabled: true + ntp.port: '123' + redis.enabled: true + redis.port: 6379 + sip.enabled: true + sip.port: 5060 + smb.auditfile: /var/log/samba-audit.log + smb.enabled: true + snmp.enabled: true + snmp.port: 161 + ssh.enabled: true + ssh.port: 22 + ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 + telnet.enabled: true + telnet.port: '23' + telnet.banner: '' + telnet.honeycreds: + - username: admin + password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA + - username: admin + password: admin1 + tftp.enabled: true + tftp.port: 69 + vnc.enabled: true + vnc.port: 5900 + openssh: + enable: true + config: + port: 2222 diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml deleted file mode 100644 index 4ed6bc3c5..000000000 --- a/salt/idh/defaults/defaults.yaml +++ /dev/null @@ -1,37 +0,0 @@ -idh: - opencanary: - config: - logger: - class: PyLogger - kwargs: - formatters: - plain: - format: '%(message)s' - handlers: - console: - class: logging.StreamHandler - stream: ext://sys.stdout - file: - class: logging.FileHandler - filename: /var/tmp/opencanary.log - portscan.enabled: false - portscan.logfile: /var/log/kern.log - portscan.synrate: 5 - portscan.nmaposrate: 5 - portscan.lorate: 3 - tcpbanner.maxnum: 10 - tcpbanner.enabled: false - tcpbanner_1.enabled: false - tcpbanner_1.port: 8001 - tcpbanner_1.datareceivedbanner: '' - tcpbanner_1.initbanner: '' - tcpbanner_1.alertstring.enabled: false - tcpbanner_1.keep_alive.enabled: false - tcpbanner_1.keep_alive_secret: '' - tcpbanner_1.keep_alive_probes: 11 - tcpbanner_1.keep_alive_interval: 300 - tcpbanner_1.keep_alive_idle: 300 - openssh: - enable: true - config: - port: 2222 diff --git a/salt/idh/defaults/ftp.defaults.yaml b/salt/idh/defaults/ftp.defaults.yaml deleted file mode 100644 index bed8f90dc..000000000 --- a/salt/idh/defaults/ftp.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - ftp.enabled: true - ftp.port: 21 - ftp.banner: FTP server ready \ No newline at end of file diff --git a/salt/idh/defaults/git.defaults.yaml b/salt/idh/defaults/git.defaults.yaml deleted file mode 100644 index d77c4aa1d..000000000 --- a/salt/idh/defaults/git.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - git.enabled: true - git.port: 9418 \ No newline at end of file diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml deleted file mode 100644 index 2b6a9fe8e..000000000 --- a/salt/idh/defaults/http.defaults.yaml +++ /dev/null @@ -1,12 +0,0 @@ -idh: - opencanary: - config: - http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: true - http.port: 80 - http.skin: nasLogin - http.skin.list: - - desc: Plain HTML Login - name: basicLogin - - desc: Synology NAS Login - name: nasLogin \ No newline at end of file diff --git a/salt/idh/defaults/httpproxy.defaults.yaml b/salt/idh/defaults/httpproxy.defaults.yaml deleted file mode 100644 index 32ef4a961..000000000 --- a/salt/idh/defaults/httpproxy.defaults.yaml +++ /dev/null @@ -1,11 +0,0 @@ -idh: - opencanary: - config: - httpproxy.enabled: true - httpproxy.port: 8080 - httpproxy.skin: squid - httproxy.skin.list: - - desc: Squid - name: squid - - desc: Microsoft ISA Server Web Proxy - name: ms-isa \ No newline at end of file diff --git a/salt/idh/defaults/mssql.defaults.yaml b/salt/idh/defaults/mssql.defaults.yaml deleted file mode 100644 index 199640992..000000000 --- a/salt/idh/defaults/mssql.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - mssql.enabled: true - mssql.version: '2012' - mssql.port: 1433 \ No newline at end of file diff --git a/salt/idh/defaults/mysql.defaults.yaml b/salt/idh/defaults/mysql.defaults.yaml deleted file mode 100644 index 98c6d2041..000000000 --- a/salt/idh/defaults/mysql.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - mysql.enabled: true - mysql.port: 3306 - mysql.banner: 5.5.43-0ubuntu0.14.04.1 \ No newline at end of file diff --git a/salt/idh/defaults/ntp.defaults.yaml b/salt/idh/defaults/ntp.defaults.yaml deleted file mode 100644 index a7df2d460..000000000 --- a/salt/idh/defaults/ntp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - ntp.enabled: true - ntp.port: '123' \ No newline at end of file diff --git a/salt/idh/defaults/redis.defaults.yaml b/salt/idh/defaults/redis.defaults.yaml deleted file mode 100644 index 90e190f09..000000000 --- a/salt/idh/defaults/redis.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - redis.enabled: true - redis.port: 6379 \ No newline at end of file diff --git a/salt/idh/defaults/sip.defaults.yaml b/salt/idh/defaults/sip.defaults.yaml deleted file mode 100644 index 740a13234..000000000 --- a/salt/idh/defaults/sip.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - sip.enabled: true - sip.port: 5060 \ No newline at end of file diff --git a/salt/idh/defaults/smb.defaults.yaml b/salt/idh/defaults/smb.defaults.yaml deleted file mode 100644 index e92e0239a..000000000 --- a/salt/idh/defaults/smb.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - smb.auditfile: /var/log/samba-audit.log - smb.enabled: true \ No newline at end of file diff --git a/salt/idh/defaults/snmp.defaults.yaml b/salt/idh/defaults/snmp.defaults.yaml deleted file mode 100644 index 990bf919e..000000000 --- a/salt/idh/defaults/snmp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - snmp.enabled: true - snmp.port: 161 \ No newline at end of file diff --git a/salt/idh/defaults/ssh.defaults.yaml b/salt/idh/defaults/ssh.defaults.yaml deleted file mode 100644 index 00dcfbcf8..000000000 --- a/salt/idh/defaults/ssh.defaults.yaml +++ /dev/null @@ -1,6 +0,0 @@ -idh: - opencanary: - config: - ssh.enabled: true - ssh.port: 22 - ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 \ No newline at end of file diff --git a/salt/idh/defaults/telnet.defaults.yaml b/salt/idh/defaults/telnet.defaults.yaml deleted file mode 100644 index 34f1d3190..000000000 --- a/salt/idh/defaults/telnet.defaults.yaml +++ /dev/null @@ -1,11 +0,0 @@ -idh: - opencanary: - config: - telnet.enabled: true - telnet.port: '23' - telnet.banner: '' - telnet.honeycreds: - - username: admin - password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - - username: admin - password: admin1 \ No newline at end of file diff --git a/salt/idh/defaults/tftp.defaults.yaml b/salt/idh/defaults/tftp.defaults.yaml deleted file mode 100644 index 5f275839f..000000000 --- a/salt/idh/defaults/tftp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - tftp.enabled: true - tftp.port: 69 \ No newline at end of file diff --git a/salt/idh/defaults/vnc.defaults.yaml b/salt/idh/defaults/vnc.defaults.yaml deleted file mode 100644 index 1995e5651..000000000 --- a/salt/idh/defaults/vnc.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - vnc.enabled: true - vnc.port: 5900 \ No newline at end of file diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml new file mode 100644 index 000000000..b7bc93e93 --- /dev/null +++ b/salt/idh/soc_idh.yaml @@ -0,0 +1,127 @@ +idh: + opencanary: + config: + logger: + class: &loggingOptions + readonly: True + advanced: True + global: True + helpLink: idh.html + kwargs: + formatters: + plain: + format: *loggingOptions + handlers: + console: + class: *loggingOptions + stream: *loggingOptions + file: + class: *loggingOptions + filename: *loggingOptions + portscan.enabled: &serviceOptions + description: To enable this IDH service set this value to True. To disable set to False. + helpLink: idh.html + portscan.logfile: *loggingOptions + portscan.synrate: + description: Needs update + advanced: True + helpLink: idh.html + portscan.nmaposrate: + description: Needs update + advanced: True + helpLink: idh.html + portscan.lorate: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner.maxnum: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner.enabled: *serviceOptions + tcpbanner_1.enabled: *serviceOptions + tcpbanner_1.port: &portOptions + tcpbanner_1.datareceivedbanner: &bannerOptions + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1.initbanner: *bannerOptions + tcpbanner_1.alertstring.enabled: *serviceOptions + tcpbanner_1.keep_alive.enabled: *serviceOptions + tcpbanner_1.keep_alive_secret: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1.keep_alive_probes: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1.keep_alive_interval: + description: Needs update + advanced: True + helpLink: idh.html + tcpbanner_1.keep_alive_idle: + description: Needs update + advanced: True + helpLink: idh.html + ftp.enabled: *serviceOptions + ftp.port: *portOptions + ftp.banner: *bannerOptions + git.enabled: *serviceOptions + git.port: *portOptions + http.banner: *bannerOptions + http.enabled: *serviceOptions + http.port: *portOptions + http.skin: &skinOptions + description: + advanced: True + helplink: idh.html + http.skin.list: &skinlistOptions + description: List of skins to use for the service. + advanced: Ture + helpLink: idh.html + httpproxy.enabled: *serviceOptions + httpproxy.port: *portOptions + httpproxy.skin: *skinOptions + httproxy.skin.list: *skinlistOptions + mssql.enabled: *serviceOptions + mssql.version: &versionOptions + description: Specify the version the service should present. + advanced: True + helpLink: idh.html + mssql.port: *portOptions + mysql.enabled: *serviceOptions + mysql.port: *portOptions + mysql.banner: *bannerOptions + ntp.enabled: *serviceOptions + ntp.port: *portOptions + redis.enabled: *serviceOptions + redis.port: *portOptions + sip.enabled: *serviceOptions + sip.port: *portOptions + smb.auditfile: *loggingOptions + smb.enabled: *serviceOptions + snmp.enabled: *serviceOptions + snmp.port: *portOptions + ssh.enabled: *serviceOptions + ssh.port: *portOptions + ssh.version: *versionOptions + telnet.enabled: *serviceOptions + telnet.port: *portOptions + telnet.banner: *bannerOptions + telnet.honeycreds: + description: Credentials list for the telnet service. + advanced: True + helpLink: idh.html + tftp.enabled: *serviceOptions + tftp.port: *portOptions + vnc.enabled: *serviceOptions + vnc.port: *portOptions + openssh: + enable: + description: This is the other SSH for the host machine. Needs better descirption. + helpLink: idh.html + config: + port: + description: Port that ssh will listen on and only accessible from the manager. + helpLink: idh.html From 9ca9b9d4daa266f54cb2fa80c99c0492eb296480 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 09:53:06 -0400 Subject: [PATCH 366/470] Rework IDH phase 1 --- salt/idh/soc_idh.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index b7bc93e93..d12a1eee3 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -3,6 +3,7 @@ idh: config: logger: class: &loggingOptions + description: Logging options for IDH nodes. readonly: True advanced: True global: True @@ -41,6 +42,9 @@ idh: tcpbanner.enabled: *serviceOptions tcpbanner_1.enabled: *serviceOptions tcpbanner_1.port: &portOptions + description: Defined port the service should listen on. + advanced: True + helpLink: idh.html tcpbanner_1.datareceivedbanner: &bannerOptions description: Needs update advanced: True From 05b1a445d3c66436d669d6a41892bbcd4a72def8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 21 Mar 2023 10:12:10 -0400 Subject: [PATCH 367/470] use saltversion grain to determine installed version --- salt/salt/map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index c7d4cab38..14e735b56 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -17,7 +17,7 @@ {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} -{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} +{% set INSTALLEDSALTVERSION = grains.saltversion %} {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['Rocky', 'redhat'] %} From efd5f7b8a238cba6ca19413079b314c14c63eda6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 21 Mar 2023 10:44:21 -0400 Subject: [PATCH 368/470] catch errors and exit with proper exit code --- salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index ba968d2fe..a10d07e13 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -31,8 +31,11 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" echo + exit 1 fi +set -e + cd ${ELASTICSEARCH_TEMPLATES}/component/ecs echo "Loading ECS component templates..." From bd17121834605cf9ca690ea90cad78f62b4c3df5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 11:23:31 -0400 Subject: [PATCH 369/470] Rework IDH phase 1 --- salt/idh/defaults.yaml | 4 ++-- salt/idh/opencanary_config.map.jinja | 6 +----- salt/idh/soc_idh.yaml | 6 +++--- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index 6ace873b7..0543135c0 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -40,7 +40,7 @@ idh: http.enabled: true http.port: 80 http.skin: nasLogin - http.skin.list: + http.skinlist": - desc: Plain HTML Login name: basicLogin - desc: Synology NAS Login @@ -48,7 +48,7 @@ idh: httpproxy.enabled: true httpproxy.port: 8080 httpproxy.skin: squid - httproxy.skin.list: + httpproxy.skinlist: - desc: Squid name: squid - desc: Microsoft ISA Server Web Proxy diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index cb601c163..f81de4518 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -2,11 +2,7 @@ {% set IDH_PORTGROUPS = {} %} -{% import_yaml "idh/defaults/defaults.yaml" as IDHCONFIG with context %} -{% for service in idh_services %} - {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %} - {% do salt['defaults.merge'](IDHCONFIG, SERVICECONFIG, in_place=True) %} -{% endfor %} +{% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index d12a1eee3..159e3c854 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -80,14 +80,14 @@ idh: description: advanced: True helplink: idh.html - http.skin.list: &skinlistOptions + http.skinlist: &skinlistOptions description: List of skins to use for the service. - advanced: Ture + advanced: True helpLink: idh.html httpproxy.enabled: *serviceOptions httpproxy.port: *portOptions httpproxy.skin: *skinOptions - httproxy.skin.list: *skinlistOptions + httpproxy.skinlist: *skinlistOptions mssql.enabled: *serviceOptions mssql.version: &versionOptions description: Specify the version the service should present. From d89310e4790b0a0d099f673e887fde82eba2f4d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 11:25:06 -0400 Subject: [PATCH 370/470] Rework IDH phase 1 --- salt/idh/soc_idh.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 159e3c854..9a49cdfb8 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -20,7 +20,7 @@ idh: class: *loggingOptions filename: *loggingOptions portscan.enabled: &serviceOptions - description: To enable this IDH service set this value to True. To disable set to False. + description: To enable this IDH service set this value to true. To disable set to false. helpLink: idh.html portscan.logfile: *loggingOptions portscan.synrate: From 1526a7de11045032870cdff2879f76af33c094dc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 11:26:30 -0400 Subject: [PATCH 371/470] Rework IDH phase 1 --- salt/idh/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index 0543135c0..c5685838d 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -40,7 +40,7 @@ idh: http.enabled: true http.port: 80 http.skin: nasLogin - http.skinlist": + http.skinlist: - desc: Plain HTML Login name: basicLogin - desc: Synology NAS Login From d87060b56e92695d0d18678f3264bd246f6db490 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 21 Mar 2023 12:48:02 -0400 Subject: [PATCH 372/470] Update Elastic Agent to 8.6.2 --- salt/common/tools/sbin/so-elastic-fleet-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 8334490d5..5eeccb8db 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,9 +97,9 @@ salt-call state.apply elasticfleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-darwin-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-linux-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder From 30fc74ac09c1631687f17870a9f135388abcaf6f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 12:53:35 -0400 Subject: [PATCH 373/470] Update so-minion --- salt/common/tools/sbin/so-minion | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index d14955e61..f7efb56db 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -206,6 +206,9 @@ function add_sensor_to_minion() { echo " enabled: True" >> $PILLARFILE } +function apply_ES_state() { + salt-call state.apply elasticsearch --queue=True +} function createEVAL() { add_elastic_to_minion add_logstash_to_minion @@ -245,6 +248,7 @@ function createSENSOR() { function createSEARCHNODE() { add_elastic_to_minion add_logstash_to_minion + applyElasticState } function createSTANDALONE() { @@ -297,4 +301,4 @@ fi if [[ "$OPERATION" = 'test' ]]; then testminion -fi \ No newline at end of file +fi From aeb6d47637b016359f1fbe2963d74146a97ec210 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 13:39:24 -0400 Subject: [PATCH 374/470] Update so-minion --- salt/common/tools/sbin/so-minion | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index f7efb56db..ea605bc09 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -206,8 +206,11 @@ function add_sensor_to_minion() { echo " enabled: True" >> $PILLARFILE } +function updateMine() { + salt "$MINION_ID" mine.send network.ip_addrs interface="$MNIC" +} function apply_ES_state() { - salt-call state.apply elasticsearch --queue=True + salt-call state.apply elasticsearch concurrent=True } function createEVAL() { add_elastic_to_minion @@ -248,7 +251,8 @@ function createSENSOR() { function createSEARCHNODE() { add_elastic_to_minion add_logstash_to_minion - applyElasticState + updateMine + apply_ES_state } function createSTANDALONE() { From 5fc297b8c14ba662a5d038ee54af8d0a3f065682 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 16:52:08 -0400 Subject: [PATCH 375/470] Change Elastic Logic --- salt/common/tools/sbin/so-minion | 4 --- salt/elasticsearch/config.map.jinja | 25 ++++++++----------- salt/elasticsearch/defaults.yaml | 4 +-- .../templates/component/so/case-settings.json | 7 ------ .../component/so/common-settings.json | 7 ------ 5 files changed, 12 insertions(+), 35 deletions(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index ea605bc09..dc9d1e2fa 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -129,10 +129,6 @@ function add_elastic_to_minion() { printf '%s\n'\ "elasticsearch:"\ " esheap: '$ES_HEAP_SIZE'"\ - " config:"\ - " node:"\ - " attr:"\ - " box_type: hot"\ " " >> $PILLARFILE } diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index ce955e93f..bc0a71b81 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -4,26 +4,23 @@ {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% if grains.id.split('_') | last in ['manager','managersearch'] %} +{% if grains.id.split('_') | last in ['manager','managersearch','standalone'] %} {% if LOGSTASH_NODES | length > 1 %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} - {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %} + {% for NODE in LOGSTASH_NODES %} + {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} + {% endfor %} + {% if grains.id.split('_') | last == 'manager' %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','remote_cluster_client']}) %} + {% else %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} + {% endif %} {% endif %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %} - {% for NODE in LOGSTASH_NODES %} - {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} - {% endfor %} - {% endif %} - {% if grains.id.split('_') | last == 'manager' %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %} - {% endif %} -{% elif grains.id.split('_') | last not in ['eval', 'standalone', 'import'] %} +{% elif grains.id.split('_') | last == 'searchnode' %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} {% if HIGHLANDER %} {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% endif %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %} {% endif %} {% if HIGHLANDER %} diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d47125972..0680350e2 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,8 +1,6 @@ elasticsearch: config: - node: - attr: - box_type: hot + node: {} cluster: routing: allocation: diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json index 46c3cdeb9..fd0de349c 100644 --- a/salt/elasticsearch/templates/component/so/case-settings.json +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -2,13 +2,6 @@ "template": { "settings": { "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, "mapping": { "total_fields": { "limit": "3000" diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json index 7d60192c3..34c9e2b18 100644 --- a/salt/elasticsearch/templates/component/so/common-settings.json +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -2,13 +2,6 @@ "template": { "settings": { "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, "mapping": { "total_fields": { "limit": "3000" From 007e2baf411866b604fbc0b0e4d40dc00244a1d6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 21 Mar 2023 17:46:52 -0400 Subject: [PATCH 376/470] Change Elastic Logic --- salt/firewall/assigned_hostgroups.map.yaml | 43 +--------------------- 1 file changed, 2 insertions(+), 41 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 2e54a5e9f..fec694541 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -295,6 +295,7 @@ role: - {{ portgroups.sensoroni }} - {{ portgroups.yum }} - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} heavynodes: portgroups: @@ -303,6 +304,7 @@ role: - {{ portgroups.sensoroni }} - {{ portgroups.yum }} - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} self: portgroups: @@ -355,47 +357,6 @@ role: heavynodes: portgroups: - {{ portgroups.salt_manager }} - helixsensor: - chain: - DOCKER-USER: - hostgroups: - manager: - portgroups: - - {{ portgroups.playbook }} - - {{ portgroups.mysql }} - - {{ portgroups.kibana }} - - {{ portgroups.redis }} - - {{ portgroups.influxdb }} - - {{ portgroups.elasticsearch_rest }} - - {{ portgroups.elasticsearch_node }} - sensors: - portgroups: - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} - searchnodes: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.elasticsearch_node }} - self: - portgroups: - - {{ portgroups.syslog}} - beats_endpoint: - portgroups: - - {{ portgroups.beats_5044 }} - analyst: - portgroups: - - {{ portgroups.nginx }} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} searchnode: chain: DOCKER-USER: From fdaf8e8c6853e4ba5bac011862c0afb871b77064 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Mar 2023 09:38:40 -0400 Subject: [PATCH 377/470] idh changes for web ui --- salt/idh/defaults.yaml | 34 ++++++++++++++-------------- salt/idh/opencanary_config.map.jinja | 29 ++++++++++++++++++++++-- salt/idh/openssh/map.jinja | 2 +- 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index c5685838d..39e8a6074 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -31,13 +31,13 @@ idh: tcpbanner_1.keep_alive_probes: 11 tcpbanner_1.keep_alive_interval: 300 tcpbanner_1.keep_alive_idle: 300 - ftp.enabled: true + ftp.enabled: false ftp.port: 21 ftp.banner: FTP server ready - git.enabled: true + git.enabled: false git.port: 9418 http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: true + http.enabled: false http.port: 80 http.skin: nasLogin http.skinlist: @@ -45,7 +45,7 @@ idh: name: basicLogin - desc: Synology NAS Login name: nasLogin - httpproxy.enabled: true + httpproxy.enabled: false httpproxy.port: 8080 httpproxy.skin: squid httpproxy.skinlist: @@ -53,36 +53,36 @@ idh: name: squid - desc: Microsoft ISA Server Web Proxy name: ms-isa - mssql.enabled: true + mssql.enabled: false mssql.version: '2012' mssql.port: 1433 - mysql.enabled: true + mysql.enabled: false mysql.port: 3306 mysql.banner: 5.5.43-0ubuntu0.14.04.1 - ntp.enabled: true - ntp.port: '123' - redis.enabled: true + ntp.enabled: false + ntp.port: 123 + redis.enabled: false redis.port: 6379 - sip.enabled: true + sip.enabled: false sip.port: 5060 smb.auditfile: /var/log/samba-audit.log - smb.enabled: true - snmp.enabled: true + smb.enabled: false + snmp.enabled: false snmp.port: 161 - ssh.enabled: true + ssh.enabled: false ssh.port: 22 ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 - telnet.enabled: true - telnet.port: '23' + telnet.enabled: false + telnet.port: 23 telnet.banner: '' telnet.honeycreds: - username: admin password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - username: admin password: admin1 - tftp.enabled: true + tftp.enabled: false tftp.port: 69 - vnc.enabled: true + vnc.enabled: false vnc.port: 5900 openssh: enable: true diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index f81de4518..6833f3838 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,10 +1,33 @@ -{% set idh_services = salt['pillar.get']('idh:services', []) %} +{# this list of services is used to loop through and add fw rules if the service is enabled #} +{# smb is not in this list since it does not need any ports open #} +{% set idh_services = [ + 'ftp', + 'git', + 'http', + 'httpproxy', + 'mssql', + 'mysql', + 'ntp', + 'redis', + 'sip', + 'snmp', + 'ssh', + 'telnet', + 'tftp', + 'vnc' +] %} {% set IDH_PORTGROUPS = {} %} {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} +{# update skinlist to skin.list to avoid issues with SOC UI config #} +{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http.skinlist') %} +{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy.skinlist') %} +{% do OPENCANARYCONFIG.update({'http.skin.list': HTTPSKINLIST}) %} +{% do OPENCANARYCONFIG.update({'httpproxy.skin.list': HTTPPROXYSKINLIST}) %} + {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} {% for service in idh_services %} @@ -13,7 +36,9 @@ {% else %} {% set proto = 'tcp' %} {% endif %} - {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% if OPENCANARYCONFIG[service ~ '.enabled'] %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% endif %} {% endfor %} {% do IDH_PORTGROUPS.update({'openssh': {'tcp': [OPENSSH.config.port]}}) %} diff --git a/salt/idh/openssh/map.jinja b/salt/idh/openssh/map.jinja index 4bb99bc03..bd8fbe316 100644 --- a/salt/idh/openssh/map.jinja +++ b/salt/idh/openssh/map.jinja @@ -1,4 +1,4 @@ -{% import_yaml "idh/defaults/defaults.yaml" as idh_defaults with context %} +{% import_yaml "idh/defaults.yaml" as idh_defaults with context %} {% set openssh_map = salt['grains.filter_by']({ 'Debian': { From 5a2ef21ce4bcb911e65a7fe4663e2c0c86c24df2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 22 Mar 2023 09:55:30 -0400 Subject: [PATCH 378/470] add sensor vars to eval --- salt/vars/eval.map.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/vars/eval.map.jinja b/salt/vars/eval.map.jinja index 9a47fc42f..3c2e66a97 100644 --- a/salt/vars/eval.map.jinja +++ b/salt/vars/eval.map.jinja @@ -1,10 +1,12 @@ {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} {% set ROLE_GLOBALS = {} %} {% set EVAL_GLOBALS = [ - ELASTICSEARCH_GLOBALS + ELASTICSEARCH_GLOBALS, + SENSOR_GLOBALS ] %} From 68380d7ecb453a44953b6d9a29a555881c142362 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 22 Mar 2023 11:02:38 -0400 Subject: [PATCH 379/470] Change data_stream.dataset from 'file' to 'strelka' --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 7930e05d6..c2fa05074 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -55,7 +55,7 @@ echo # Strelka logs echo echo "Setting up Strelka package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "strelka", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}' echo # Syslog TCP Port 514 @@ -110,4 +110,4 @@ echo echo echo "Setting up IDH package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' -echo \ No newline at end of file +echo From 6d87620c6a8c2b371d706c893abadd99d221c2e3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 22 Mar 2023 11:04:18 -0400 Subject: [PATCH 380/470] Explicitly set 'event.dataset' as 'file' --- salt/elasticsearch/files/ingest/strelka.file | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index fbcf1252a..80063c531 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -1,6 +1,7 @@ { "description" : "strelka", "processors" : [ + { "set": { "field": "event.dataset", "value": "file" } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } }, { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, From d2bc5e4af211602a4473c4d0d9491ea6894fa7df Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 22 Mar 2023 15:45:51 -0400 Subject: [PATCH 381/470] Update config.map.jinja --- salt/elasticsearch/config.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index bc0a71b81..7c4a2c3a5 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -11,7 +11,7 @@ {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %} {% endfor %} {% if grains.id.split('_') | last == 'manager' %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','remote_cluster_client']}) %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %} {% else %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} {% endif %} From eaaa0289993e5d07f25f4edea5fe0b27848ecd51 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 22 Mar 2023 19:52:13 +0000 Subject: [PATCH 382/470] Update Elastic Agent template settings --- salt/elasticsearch/defaults.yaml | 126 ++++++++++++++++++++++--------- 1 file changed, 92 insertions(+), 34 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 0680350e2..8acaa6749 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,8 @@ elasticsearch: config: - node: {} + node: + attr: + box_type: hot cluster: routing: allocation: @@ -55,7 +57,60 @@ elasticsearch: elasticsearch: deprecation: ERROR index_settings: - so-logs-elastic_agent.apm_server: + so-logs: + index_sorting: False + index_template: + index_patterns: + - "logs-*-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5001 + sort: + field: "@timestamp" + order: desc + mappings: + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + composed_of: + - "so-data-streams-mappings" + - "so-logs-mappings" + - "so-logs-settings" + priority: 225 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + logs-elastic_agent.apm_server: index_sorting: False index_template: index_patterns: @@ -77,8 +132,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.apm_server@package" - - "so-logs-elastic_agent.apm_server@custom" + - "logs-elastic_agent.apm_server@package" + - "logs-elastic_agent.apm_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -109,7 +164,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.auditbeat: + logs-elastic_agent.auditbeat: index_sorting: False index_template: index_patterns: @@ -131,8 +186,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.auditbeat@package" - - "so-logs-elastic_agent.auditbeat@custom" + - "logs-elastic_agent.auditbeat@package" + - "logs-elastic_agent.auditbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -163,7 +218,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.cloudbeat: + logs-elastic_agent.cloudbeat: index_sorting: False index_template: index_patterns: @@ -185,8 +240,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.cloudbeat@package" - - "so-logs-elastic_agent.cloudbeat@custom" + - "logs-elastic_agent.cloudbeat@package" + - "logs-elastic_agent.cloudbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -214,7 +269,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.endpoint_security: + logs-elastic_agent.endpoint_security: index_sorting: False index_template: index_patterns: @@ -236,8 +291,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.endpoint_security@package" - - "so-logs-elastic_agent.endpoint_security@custom" + - "logs-elastic_agent.endpoint_security@package" + - "logs-elastic_agent.endpoint_security@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -268,7 +323,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.filebeat: + logs-elastic_agent.filebeat: index_sorting: False index_template: index_patterns: @@ -290,11 +345,14 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.filebeat@package" - - "so-logs-elastic_agent.filebeat@custom" + - "logs-elastic_agent.filebeat@package" + - "logs-elastic_agent.filebeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 + data_stream: + hidden: false + allow_custom_routing: false policy: phases: hot: @@ -319,7 +377,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.fleet_server: + logs-elastic_agent.fleet_server: index_sorting: False index_template: index_patterns: @@ -341,8 +399,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.fleet_server@package" - - "so-logs-elastic_agent.fleet_server@custom" + - "logs-elastic_agent.fleet_server@package" + - "logs-elastic_agent.fleet_server@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -373,7 +431,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.heartbeat: + logs-elastic_agent.heartbeat: index_sorting: False index_template: index_patterns: @@ -395,8 +453,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.heartbeat@package" - - "so-logs-elastic_agent.heartbeat@custom" + - "logs-elastic_agent.heartbeat@package" + - "logs-elastic_agent.heartbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -424,7 +482,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent: + logs-elastic_agent: index_sorting: False index_template: index_patterns: @@ -446,8 +504,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent@package" - - "so-logs-elastic_agent@custom" + - "logs-elastic_agent@package" + - "logs-elastic_agent@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -478,7 +536,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.metricbeat: + logs-elastic_agent.metricbeat: index_sorting: False index_template: index_patterns: @@ -500,8 +558,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.metricbeat@package" - - "so-logs-elastic_agent.metricbeat@custom" + - "logs-elastic_agent.metricbeat@package" + - "logs-elastic_agent.metricbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -532,7 +590,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.osquerybeat: + logs-elastic_agent.osquerybeat: index_sorting: False index_template: index_patterns: @@ -554,8 +612,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.osquerybeat@package" - - "so-logs-elastic_agent.osquerybeat@custom" + - "logs-elastic_agent.osquerybeat@package" + - "logs-elastic_agent.osquerybeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 @@ -586,7 +644,7 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-logs-elastic_agent.packetbeat: + logs-elastic_agent.packetbeat: index_sorting: False index_template: index_patterns: @@ -608,8 +666,8 @@ elasticsearch: managed_by: security_onion managed: true composed_of: - - "so-logs-elastic_agent.packetbeat@package" - - "so-logs-elastic_agent.packetbeat@custom" + - "logs-elastic_agent.packetbeat@package" + - "logs-elastic_agent.packetbeat@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 200 From 28f5dcd43b352ed32e3b17c0c11a97b1ce3413c6 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 22 Mar 2023 19:57:46 +0000 Subject: [PATCH 383/470] Add managed generic Elastic Agent log component templates --- .../logs-elastic_agent.apm_server@custom.json | 12 + ...logs-elastic_agent.apm_server@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.auditbeat@custom.json | 12 + .../logs-elastic_agent.auditbeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.cloudbeat@custom.json | 12 + .../logs-elastic_agent.cloudbeat@package.json | 510 ++++++++++++++++++ ...lastic_agent.endpoint_security@custom.json | 12 + ...astic_agent.endpoint_security@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.filebeat@custom.json | 12 + .../logs-elastic_agent.filebeat@package.json | 505 +++++++++++++++++ ...ogs-elastic_agent.fleet_server@custom.json | 12 + ...gs-elastic_agent.fleet_server@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.heartbeat@custom.json | 12 + .../logs-elastic_agent.heartbeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.metricbeat@custom.json | 12 + ...logs-elastic_agent.metricbeat@package.json | 505 +++++++++++++++++ ...logs-elastic_agent.osquerybeat@custom.json | 12 + ...ogs-elastic_agent.osquerybeat@package.json | 505 +++++++++++++++++ .../logs-elastic_agent.packetbeat@custom.json | 12 + ...logs-elastic_agent.packetbeat@package.json | 498 +++++++++++++++++ .../component/logs-elastic_agent@custom.json | 12 + .../component/logs-elastic_agent@package.json | 505 +++++++++++++++++ .../component/so-data-streams-mappings.json | 67 +++ .../so-fleet_agent_id_verification-1.json | 67 +++ .../component/so-fleet_globals-1.json | 66 +++ .../templates/component/so-logs-mappings.json | 21 + .../templates/component/so-logs-settings.json | 22 + 27 files changed, 5928 insertions(+) create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@custom.json create mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@package.json create mode 100644 salt/elasticsearch/templates/component/so-data-streams-mappings.json create mode 100644 salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json create mode 100644 salt/elasticsearch/templates/component/so-fleet_globals-1.json create mode 100644 salt/elasticsearch/templates/component/so-logs-mappings.json create mode 100644 salt/elasticsearch/templates/component/so-logs-settings.json diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json new file mode 100644 index 000000000..9fd8c928f --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json new file mode 100644 index 000000000..9fd8c928f --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json new file mode 100644 index 000000000..c4874ed3c --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json @@ -0,0 +1,510 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json new file mode 100644 index 000000000..f353ac542 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json new file mode 100644 index 000000000..36978b0d8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json new file mode 100644 index 000000000..9e593d3f8 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json @@ -0,0 +1,498 @@ +{ + "template": { + "settings": { +"analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json new file mode 100644 index 000000000..fe77af1db --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json @@ -0,0 +1,12 @@ +{ + "template": { + "settings": {} + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent@package.json new file mode 100644 index 000000000..7df3309b1 --- /dev/null +++ b/salt/elasticsearch/templates/component/logs-elastic_agent@package.json @@ -0,0 +1,505 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "query": { + "default_field": [ + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "cloud.project.id", + "cloud.image.id", + "container.id", + "container.image.name", + "container.name", + "host.architecture", + "host.domain", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.os.build", + "host.os.codename", + "host.type", + "log.level", + "message", + "elastic_agent.id", + "elastic_agent.process", + "elastic_agent.version" + ] + } + } + }, + "mappings": { + "dynamic": false, + "properties": { + "cloud": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "labels": { + "type": "object" + } + } + }, + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "log": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "type": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + +"security": { +"type": "text", +"analyzer": "es_security_analyzer"}, + "text": { + "type": "text" + } + } + }, + "family": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "ip": { + "type": "ip" + }, + "containerized": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "type": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + } + } + }, + "elastic_agent": { + "properties": { + "process": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "id": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "version": { + "ignore_above": 1024, + "type": "keyword" +, +"fields": { +"security": { +"type": "text", +"analyzer": "es_security_analyzer"} +} + }, + "snapshot": { + "type": "boolean" + } + } + }, + "event": { + "properties": { + "dataset": { + "type": "constant_keyword" + } + } + }, + "message": { + "type": "text" + } + } + } + }, + "_meta": { + "package": { + "name": "elastic_agent" + }, + "managed_by": "fleet", + "managed": true + } +} diff --git a/salt/elasticsearch/templates/component/so-data-streams-mappings.json b/salt/elasticsearch/templates/component/so-data-streams-mappings.json new file mode 100644 index 000000000..b4373799b --- /dev/null +++ b/salt/elasticsearch/templates/component/so-data-streams-mappings.json @@ -0,0 +1,67 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "match_ip": { + "mapping": { + "type": "ip" + }, + "match_mapping_type": "string", + "match": "ip" + } + }, + { + "match_message": { + "mapping": { + "type": "match_only_text" + }, + "match_mapping_type": "string", + "match": "message" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false, + "properties": { + "@timestamp": { + "type": "date" + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "data_stream": { + "properties": { + "namespace": { + "type": "constant_keyword" + }, + "dataset": { + "type": "constant_keyword" + } + } + }, + "host": { + "type": "object" + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "general mapping conventions for data streams" + } + } diff --git a/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json new file mode 100644 index 000000000..e2548d539 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json @@ -0,0 +1,67 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "index": { + "final_pipeline": ".fleet_final_pipeline-1" + } + }, + "mappings": { + "properties": { + "event": { + "properties": { + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", + "type": "date" + } + } + } + } + } + }, + "_meta": { + "managed_by": "fleet", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/so-fleet_globals-1.json new file mode 100644 index 000000000..e1529ba82 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-fleet_globals-1.json @@ -0,0 +1,66 @@ +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "_meta": { + "managed_by": "security_onion", + "managed": true + }, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "date_detection": false + } + }, + "_meta": { + "managed_by": "security_onion", + "managed": true + } + } diff --git a/salt/elasticsearch/templates/component/so-logs-mappings.json b/salt/elasticsearch/templates/component/so-logs-mappings.json new file mode 100644 index 000000000..09b0db6b2 --- /dev/null +++ b/salt/elasticsearch/templates/component/so-logs-mappings.json @@ -0,0 +1,21 @@ + { + "template": { + "mappings": { + "properties": { + "data_stream": { + "properties": { + "type": { + "type": "constant_keyword", + "value": "logs" + } + } + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "default mappings for the logs index template installed by x-pack" + } + } diff --git a/salt/elasticsearch/templates/component/so-logs-settings.json b/salt/elasticsearch/templates/component/so-logs-settings.json new file mode 100644 index 000000000..dc739c83c --- /dev/null +++ b/salt/elasticsearch/templates/component/so-logs-settings.json @@ -0,0 +1,22 @@ +{ + "template": { + "settings": { + "index": { + "lifecycle": { + "name": "logs" + }, + "codec": "best_compression", + "query": { + "default_field": [ + "message" + ] + } + } + } + }, + "version": 2, + "_meta": { + "managed": true, + "description": "default settings for the logs index template installed by x-pack" + } + } From 3fba27a0d469ea8ff8828f492125e0639c1926c2 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 22 Mar 2023 20:45:33 +0000 Subject: [PATCH 384/470] Ensure component template files are in the correct directory --- .../so-data-streams-mappings.json | 0 .../{ => elastic-agent}/so-logs-mappings.json | 0 .../{ => elastic-agent}/so-logs-settings.json | 0 .../logs-elastic_agent.apm_server@custom.json | 12 - ...logs-elastic_agent.apm_server@package.json | 505 ----------------- .../logs-elastic_agent.auditbeat@custom.json | 12 - .../logs-elastic_agent.auditbeat@package.json | 505 ----------------- .../logs-elastic_agent.cloudbeat@custom.json | 12 - .../logs-elastic_agent.cloudbeat@package.json | 510 ------------------ ...lastic_agent.endpoint_security@custom.json | 12 - ...astic_agent.endpoint_security@package.json | 505 ----------------- .../logs-elastic_agent.filebeat@custom.json | 12 - .../logs-elastic_agent.filebeat@package.json | 505 ----------------- ...ogs-elastic_agent.fleet_server@custom.json | 12 - ...gs-elastic_agent.fleet_server@package.json | 505 ----------------- .../logs-elastic_agent.heartbeat@custom.json | 12 - .../logs-elastic_agent.heartbeat@package.json | 505 ----------------- .../logs-elastic_agent.metricbeat@custom.json | 12 - ...logs-elastic_agent.metricbeat@package.json | 505 ----------------- ...logs-elastic_agent.osquerybeat@custom.json | 12 - ...ogs-elastic_agent.osquerybeat@package.json | 505 ----------------- .../logs-elastic_agent.packetbeat@custom.json | 12 - ...logs-elastic_agent.packetbeat@package.json | 498 ----------------- .../component/logs-elastic_agent@custom.json | 12 - .../component/logs-elastic_agent@package.json | 505 ----------------- .../so-fleet_agent_id_verification-1.json | 67 --- .../component/so-fleet_globals-1.json | 66 --- 27 files changed, 5818 deletions(-) rename salt/elasticsearch/templates/component/{ => elastic-agent}/so-data-streams-mappings.json (100%) rename salt/elasticsearch/templates/component/{ => elastic-agent}/so-logs-mappings.json (100%) rename salt/elasticsearch/templates/component/{ => elastic-agent}/so-logs-settings.json (100%) delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/logs-elastic_agent@package.json delete mode 100644 salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json delete mode 100644 salt/elasticsearch/templates/component/so-fleet_globals-1.json diff --git a/salt/elasticsearch/templates/component/so-data-streams-mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-data-streams-mappings.json similarity index 100% rename from salt/elasticsearch/templates/component/so-data-streams-mappings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-data-streams-mappings.json diff --git a/salt/elasticsearch/templates/component/so-logs-mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-logs-mappings.json similarity index 100% rename from salt/elasticsearch/templates/component/so-logs-mappings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-logs-mappings.json diff --git a/salt/elasticsearch/templates/component/so-logs-settings.json b/salt/elasticsearch/templates/component/elastic-agent/so-logs-settings.json similarity index 100% rename from salt/elasticsearch/templates/component/so-logs-settings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-logs-settings.json diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json deleted file mode 100644 index 9fd8c928f..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.apm_server@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json deleted file mode 100644 index 9fd8c928f..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.auditbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json deleted file mode 100644 index c4874ed3c..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.cloudbeat@package.json +++ /dev/null @@ -1,510 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.endpoint_security@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.filebeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.fleet_server@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json deleted file mode 100644 index f353ac542..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.heartbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.metricbeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json deleted file mode 100644 index 36978b0d8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.osquerybeat@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json deleted file mode 100644 index 9e593d3f8..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent.packetbeat@package.json +++ /dev/null @@ -1,498 +0,0 @@ -{ - "template": { - "settings": { -"analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json deleted file mode 100644 index fe77af1db..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent@custom.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/logs-elastic_agent@package.json deleted file mode 100644 index 7df3309b1..000000000 --- a/salt/elasticsearch/templates/component/logs-elastic_agent@package.json +++ /dev/null @@ -1,505 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "labels": { - "type": "object" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - -"security": { -"type": "text", -"analyzer": "es_security_analyzer"}, - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "type": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "id": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "version": { - "ignore_above": 1024, - "type": "keyword" -, -"fields": { -"security": { -"type": "text", -"analyzer": "es_security_analyzer"} -} - }, - "snapshot": { - "type": "boolean" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - }, - "message": { - "type": "text" - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json b/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json deleted file mode 100644 index e2548d539..000000000 --- a/salt/elasticsearch/templates/component/so-fleet_agent_id_verification-1.json +++ /dev/null @@ -1,67 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "index": { - "final_pipeline": ".fleet_final_pipeline-1" - } - }, - "mappings": { - "properties": { - "event": { - "properties": { - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", - "type": "date" - } - } - } - } - } - }, - "_meta": { - "managed_by": "fleet", - "managed": true - } - } diff --git a/salt/elasticsearch/templates/component/so-fleet_globals-1.json b/salt/elasticsearch/templates/component/so-fleet_globals-1.json deleted file mode 100644 index e1529ba82..000000000 --- a/salt/elasticsearch/templates/component/so-fleet_globals-1.json +++ /dev/null @@ -1,66 +0,0 @@ -{ - "template": { - "settings": { - "analysis": { - "analyzer": { - "es_security_analyzer": { - "type": "custom", - "char_filter": [ - "whitespace_no_way" - ], - "filter": [ - "lowercase", - "trim" - ], - "tokenizer": "keyword" - } - }, - "char_filter": { - "whitespace_no_way": { - "type": "pattern_replace", - "pattern": "(\\s)+", - "replacement": "$1" - } - }, - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": true, - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - } - }, - "mappings": { - "_meta": { - "managed_by": "security_onion", - "managed": true - }, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false - } - }, - "_meta": { - "managed_by": "security_onion", - "managed": true - } - } From c8e93f0388d15932467277f9048a496a9429ea7f Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Wed, 22 Mar 2023 17:22:21 -0400 Subject: [PATCH 385/470] Update top.sls --- salt/top.sls | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 2c6ad266f..6a403398d 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -22,6 +22,7 @@ base: - cron.running - repo.client - ntp + - schedule 'not G@saltversion:{{saltversion}}': - match: compound @@ -57,7 +58,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - - schedule - docker_clean - elasticfleet.install_agent_grid @@ -100,7 +100,6 @@ base: - elastalert {%- endif %} - utility - - schedule - soctopus {%- if PLAYBOOK != 0 %} - playbook @@ -144,7 +143,6 @@ base: - elastalert {%- endif %} - utility - - schedule - soctopus - playbook - elasticfleet @@ -195,7 +193,6 @@ base: - elastalert {%- endif %} - utility - - schedule - soctopus - playbook - elasticfleet @@ -214,7 +211,6 @@ base: {%- if LOGSTASH %} - logstash {%- endif %} - - schedule - elasticfleet.install_agent_grid - docker_clean @@ -254,7 +250,6 @@ base: - elastalert {%- endif %} - utility - - schedule - soctopus - playbook - elasticfleet @@ -285,7 +280,6 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - - schedule - elasticfleet.install_agent_grid - docker_clean @@ -316,7 +310,6 @@ base: - utility - suricata - zeek - - schedule - elasticfleet - docker_clean @@ -332,7 +325,6 @@ base: {%- if REDIS %} - redis {%- endif %} - - schedule - elasticfleet.install_agent_grid - docker_clean @@ -342,7 +334,6 @@ base: - sensoroni - telegraf - firewall - - schedule - elasticfleet.install_agent_grid - docker_clean - idh From 84360aa9bf4df95ad79e9dd73a04a05d2ae58944 Mon Sep 17 00:00:00 2001 From: Wes Date: Wed, 22 Mar 2023 21:47:49 +0000 Subject: [PATCH 386/470] Set replicas for Osquery manager indices to 0 --- salt/elasticsearch/defaults.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 8acaa6749..2db3174b9 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -110,6 +110,21 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true + logs-osquery-manager: + index_sorting: False + index_template: + index_patterns: + - ".logs-osquery*" + template: + settings: + index: + number_of_replicas: 0 + priority: 501 + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true logs-elastic_agent.apm_server: index_sorting: False index_template: From b3ea4194dd8e700edf41f978e9d56bb19cb06ae4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 09:49:02 -0400 Subject: [PATCH 387/470] Only allow reposync to run on managers --- salt/common/tools/sbin/so-repo-sync | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index c69aa44ad..1c09ae60d 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -7,6 +7,11 @@ . /usr/sbin/so-common +if [ ! -f /root/repodownload.conf ]; then + echo "This script should only run on the manager." + exit 1 +fi + set_version set_os salt_minion_count From f8d5acd37de435843b29767a66cab7b280462a8e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:43:47 -0400 Subject: [PATCH 388/470] Saltify it up --- salt/common/tools/sbin/so-common | 10 ++++++---- salt/common/tools/sbin/so-repo-sync | 2 +- salt/manager/defaults.yaml | 5 +++++ salt/manager/init.sls | 31 +++++++++++++++++++++++++++++ salt/manager/soc_manager.yaml | 13 ++++++++++++ 5 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 salt/manager/defaults.yaml diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index dc5ae2123..091529c4d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,10 +8,12 @@ DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" -# Check for prerequisites -if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 +if [ ! -z $NOROOT ]; then + # Check for prerequisites + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi fi # Define a banner to separate sections diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 1c09ae60d..3d98ecc89 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -4,7 +4,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - +NOROOT=1 . /usr/sbin/so-common if [ ! -f /root/repodownload.conf ]; then diff --git a/salt/manager/defaults.yaml b/salt/manager/defaults.yaml new file mode 100644 index 000000000..8bb34690e --- /dev/null +++ b/salt/manager/defaults.yaml @@ -0,0 +1,5 @@ +manager: + reposync: + enabled: True + hour: 3 + minute: 0 \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index a360fb2c5..69911651a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -7,6 +7,8 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} include: - salt.minion @@ -14,6 +16,35 @@ include: - manager.sync_es_users - manager.elasticsearch +repo_log_dir: + file.directory: + - name: /opt/so/log/reposync + - user: socore + - group: socore + - recurse: + - user + - group + +repo_dir: + file.directory: + - name: /nsm/repo + - user: socore + - group: socore + - recurse: + - user + - group + +reposync_cron: + {% if MANAGERMERGED.reposync.enabled %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' + - hour: '{{ MANAGERMERGED.reposync.hour }}' + - minute: '{{ MANAGERMERGED.reposync.minute }}' + socore_own_saltstack: file.directory: - name: /opt/so/saltstack diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index e6e58e524..abcc9d078 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -1,4 +1,17 @@ manager: + reposync: + enabled: + description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled. + global: True + helpLink: manager.html + hour: + description: The hour of the day in which the repo sync takes place. + global: True + helpLink: manager.html + minute: + description: The minute within the hour specified in hour to run the repo sync. + global: True + helpLink: manager.html elastalert: description: Enable elastalert 1=enabled 0=disabled. global: True From 02aa8662f7bd6074450cf68a6bb78e58f24a0ea0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:52:05 -0400 Subject: [PATCH 389/470] Saltify it up --- salt/{common/tools/sbin => manager/files}/so-repo-sync | 5 ----- salt/manager/init.sls | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) rename salt/{common/tools/sbin => manager/files}/so-repo-sync (83%) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/manager/files/so-repo-sync similarity index 83% rename from salt/common/tools/sbin/so-repo-sync rename to salt/manager/files/so-repo-sync index 3d98ecc89..e9e110446 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/manager/files/so-repo-sync @@ -7,11 +7,6 @@ NOROOT=1 . /usr/sbin/so-common -if [ ! -f /root/repodownload.conf ]; then - echo "This script should only run on the manager." - exit 1 -fi - set_version set_os salt_minion_count diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 69911651a..fe26ddebc 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,6 +34,14 @@ repo_dir: - user - group +repo_sync_script: + file.managed: + - name: /usr/sbin/so-repo-sync + - source: salt://manager/files/so-repo-sync + - user: root + - group: root + - mode: 755 + reposync_cron: {% if MANAGERMERGED.reposync.enabled %} cron.present: From e52087b7424c6f19becf1543c307a923ec75e863 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:54:01 -0400 Subject: [PATCH 390/470] Saltify it up --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 091529c4d..5cdb9e57a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,7 +8,7 @@ DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" -if [ ! -z $NOROOT ]; then +if [ -z $NOROOT ]; then # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" From b68cf85392cf0aa95739b1d6ba026edcca7b3561 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:04:26 -0400 Subject: [PATCH 391/470] Change repo download script location --- setup/so-functions | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 96c357c74..74a2f8b28 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1967,25 +1967,25 @@ repo_sync_local() { # Check for reposync info "Backing up old repos" mkdir -p /nsm/repo - mkdir -p /root/reposync_cache - echo "[main]" > /root/repodownload.conf - echo "gpgcheck=1" >> /root/repodownload.conf - echo "installonly_limit=3" >> /root/repodownload.conf - echo "clean_requirements_on_remove=True" >> /root/repodownload.conf - echo "best=True" >> /root/repodownload.conf - echo "skip_if_unavailable=False" >> /root/repodownload.conf - echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf - echo "keepcache=0" >> /root/repodownload.conf - echo "[securityonionsync]" >> /root/repodownload.conf - echo "name=Security Onion Repo repo" >> /root/repodownload.conf - echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /root/repodownload.conf - echo "enabled=1" >> /root/repodownload.conf - echo "gpgcheck=1" >> /root/repodownload.conf - echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + mkdir -p /opt/so/conf/reposync/cache + echo "[main]" > /opt/so/conf/reposync/repodownload.conf + echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf + echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf + echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf + echo "best=True" >> /opt/so/conf/reposync/repodownload.conf + echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf + echo "cachedir=/opt/so/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf + echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf + echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf + echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf + echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf + echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf + echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf logCmd "dnf repolist" # Make sure we can get to the sig repo - logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" + logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 3756c935180e2f5fe59e1783482e0e1943c6ee2d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:05:48 -0400 Subject: [PATCH 392/470] Change repo download script location --- salt/manager/files/so-repo-sync | 2 +- setup/so-functions | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/files/so-repo-sync b/salt/manager/files/so-repo-sync index e9e110446..051a1fff7 100644 --- a/salt/manager/files/so-repo-sync +++ b/salt/manager/files/so-repo-sync @@ -12,5 +12,5 @@ set_os salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup -dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ +dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 74a2f8b28..6552020c4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1986,9 +1986,9 @@ repo_sync_local() { logCmd "dnf repolist" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" - logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things - logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # After the download is complete run createrepo create_repo From 8f4076ccd6f41b893be888ab0610cd42a7c0afc7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:46:32 -0400 Subject: [PATCH 393/470] Change repo conf permissions --- salt/manager/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index fe26ddebc..4db979266 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -25,6 +25,15 @@ repo_log_dir: - user - group +repo_conf_dir: + file.directory: + - name: /opt/so/conf/reposync + - user: socore + - group: socore + - recurse: + - user + - group + repo_dir: file.directory: - name: /nsm/repo From c977f38a5867e111be47ea3ba7ddcb9d74b3747c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:56:40 -0400 Subject: [PATCH 394/470] Change repo conf permissions --- salt/manager/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 4db979266..2cddf130c 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,6 +34,15 @@ repo_conf_dir: - user - group +repo_cache_dir: + file.directory: + - name: /opt/so/reposync/cache + - user: socore + - group: socore + - recurse: + - user + - group + repo_dir: file.directory: - name: /nsm/repo From 0a096712cb74a2500e07b36e053df48a7d1b3d73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 12:39:31 -0400 Subject: [PATCH 395/470] Fix cache location --- salt/manager/init.sls | 9 --------- setup/so-functions | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 2cddf130c..4db979266 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,15 +34,6 @@ repo_conf_dir: - user - group -repo_cache_dir: - file.directory: - - name: /opt/so/reposync/cache - - user: socore - - group: socore - - recurse: - - user - - group - repo_dir: file.directory: - name: /nsm/repo diff --git a/setup/so-functions b/setup/so-functions index 6552020c4..807d29575 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1974,7 +1974,7 @@ repo_sync_local() { echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf echo "best=True" >> /opt/so/conf/reposync/repodownload.conf echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf - echo "cachedir=/opt/so/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf + echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf From 3b671efa8eec9ef31bff80d99aed45c28326a66f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 12:47:48 -0400 Subject: [PATCH 396/470] Fix cache location --- salt/manager/soc_manager.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index abcc9d078..437c14ad9 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -9,7 +9,7 @@ manager: global: True helpLink: manager.html minute: - description: The minute within the hour specified in hour to run the repo sync. + description: The minute within the hour to run the repo sync. global: True helpLink: manager.html elastalert: From 0a9a064648b4c4e5037ccd8b589ffe730744b85e Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 23 Mar 2023 13:45:51 -0400 Subject: [PATCH 397/470] Remove node attrs configuration since node roles will be used --- salt/elasticsearch/defaults.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 2db3174b9..3649d015e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,8 +1,6 @@ elasticsearch: config: - node: - attr: - box_type: hot + node: {} cluster: routing: allocation: From 90159f4bcd3a11d623f9c264a74105c88b2f7e19 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 15:09:40 -0400 Subject: [PATCH 398/470] Switch up elastic roles --- salt/elasticsearch/config.map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 7c4a2c3a5..278bbde62 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -13,11 +13,11 @@ {% if grains.id.split('_') | last == 'manager' %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %} {% else %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %} {% endif %} {% endif %} {% elif grains.id.split('_') | last == 'searchnode' %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %} {% if HIGHLANDER %} {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} {% endif %} From bad905f54cc1372f39cc2cb3ce0f27cb35f5152b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Mar 2023 16:22:59 -0400 Subject: [PATCH 399/470] SOC Logs & Hunt Query --- .../so-elastic-fleet-integration-policy-load | 26 ++++++++++++++++++- .../elasticsearch/files/ingest-dynamic/common | 3 ++- salt/soc/defaults.yaml | 6 ++++- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index c2fa05074..be4ec5246 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -73,7 +73,7 @@ echo # Kratos logs echo echo "Setting up Kratos package policy..." -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"custom":"pipeline: kratos","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}' echo # RITA Logs @@ -111,3 +111,27 @@ echo echo "Setting up IDH package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' echo + +# SOC - Server logs +echo +echo "Setting up SOC - Server Logs package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-server-logs","namespace":"so","description":"Security Onion Console Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sensoroni-server.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}' +echo + +# SOC - Sensoroni logs +echo +echo "Setting up SOC - Sensoroni Logs package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-sensoroni-logs","namespace":"so","description":"Security Onion - Sensoroni - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/sensoroni/sensoroni.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}' +echo + +# SOC - Elastic Auth Sync logs +echo +echo "Setting up SOC - Elastic Auth Sync Logs package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-auth-sync-logs","namespace":"so","description":"Security Onion - Elastic Auth Sync - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sync.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync","tags":[]}}}}}}' +echo + +# SOC - Salt Relay logs +echo +echo "Setting up SOC - Salt_Relay Logs package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-salt-relay-logs","namespace":"so","description":"Security Onion - Salt Relay - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/salt-relay.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay","tags":[]}}}}}}' +echo \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest-dynamic/common b/salt/elasticsearch/files/ingest-dynamic/common index 277a4f14d..8c8de0da1 100644 --- a/salt/elasticsearch/files/ingest-dynamic/common +++ b/salt/elasticsearch/files/ingest-dynamic/common @@ -57,7 +57,8 @@ { "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } }, { "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } }, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset" ], "ignore_missing": true, "ignore_failure": true } } + { "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from":"event.dataset_temp" }}, + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } {%- endraw %} {%- if HIGHLANDER %} , diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 196828b77..8d846a84d 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1123,10 +1123,14 @@ soc: description: Show all events grouped by module and dataset query: '* | groupby event.module* event.dataset' showSubtitle: true - - name: SOC Auth + - name: SOC - Auth description: Users authenticated to SOC grouped by IP address and identity query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' showSubtitle: true + - name: SOC - App + description: Logs generated by the Security Onion Console (SOC) server and modules + query: 'event.module: "soc" | groupby event.module* event.dataset* log.level* | groupby agent.name | groupby event.action* | groupby "http.request.method" | groupby "url.path"' + showSubtitle: true - name: Elastalerts description: '' query: '_type:elastalert | groupby rule.name' From 16bc63233f17a8f61f8b4c15bf610c36a1df6ac6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 24 Mar 2023 09:33:12 -0400 Subject: [PATCH 400/470] Fix errors --- salt/playbook/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 5fe9ab92f..fd31aeba8 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -42,6 +42,15 @@ query_updatwebhooks: - connection_user: root - connection_pass: {{ MYSQLPASS }} +query_updatename: + mysql_query.run: + - database: playbook + - query: "update custom_fields set name = 'Custom Filter' where id = 21;" + - connection_host: {{ GLOBALS.manager }} + - connection_port: 3306 + - connection_user: root + - connection_pass: {{ MYSQLPASS }} + query_updatepluginurls: mysql_query.run: - database: playbook From 0be57e686e0b7f37f22a0c016c6ed456f8487fde Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 24 Mar 2023 13:22:21 -0400 Subject: [PATCH 401/470] prune system volumes during upgrade --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1ee166657..a41b80ad8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -340,7 +340,7 @@ check_os_updates() { clean_dockers() { # Place Holder for cleaning up old docker images echo "Trying to clean up old dockers." - docker system prune -a -f + docker system prune -a -f --volumes } From aa9d44ab0953f9195baa9a22894a6ac67ee39b06 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 24 Mar 2023 13:51:13 -0400 Subject: [PATCH 402/470] Add four new GeoIP dashboards --- salt/soc/defaults.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8d846a84d..502a83fad 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1565,6 +1565,18 @@ soc: - name: VLAN description: VLAN (Virtual Local Area Network) tagged logs query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' + - name: GeoIP - Destination Countries + description: GeoIP tagged logs visualized by destination countries + query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module' + - name: GeoIP - Destination Organizations + description: GeoIP tagged logs visualized by destination organizations + query: '* AND _exists_:destination_geo.organization_name | groupby destination_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module' + - name: GeoIP - Source Countries + description: GeoIP tagged logs visualized by source countries + query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' + - name: GeoIP - Source Organizations + description: GeoIP tagged logs visualized by source organizations + query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' job: alerts: advanced: false From 462b2b23b91fb1f74ac67f5e80c81fabb6e0bc08 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Mar 2023 13:52:21 -0400 Subject: [PATCH 403/470] rework idh for web ui --- salt/firewall/assigned_hostgroups.map.yaml | 7 +- salt/idh/defaults.yaml | 125 +++++++++++---------- salt/idh/idh.conf.jinja | 2 +- salt/idh/init.sls | 9 +- salt/idh/opencanary_config.map.jinja | 18 +-- salt/idh/soc_idh.yaml | 116 +++++++++---------- 6 files changed, 139 insertions(+), 138 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 2e54a5e9f..c5f4d89c9 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -575,9 +575,10 @@ role: hostgroups: anywhere: portgroups: - {% set idh_services = salt['pillar.get']('idh:services', []) %} - {% for service in idh_services %} - - {{ IDH_PORTGROUPS['idh_'~service] }} + {% for service in IDH_PORTGROUPS.keys() %} + {% if service != 'openssh' %} + - {{ IDH_PORTGROUPS[service] }} + {% endif %} {% endfor %} dockernet: portgroups: diff --git a/salt/idh/defaults.yaml b/salt/idh/defaults.yaml index 39e8a6074..b0c4d6904 100644 --- a/salt/idh/defaults.yaml +++ b/salt/idh/defaults.yaml @@ -1,4 +1,9 @@ idh: + restrict_management_ip: false + openssh: + enable: true + config: + port: 2222 opencanary: config: logger: @@ -14,77 +19,73 @@ idh: file: class: logging.FileHandler filename: /var/tmp/opencanary.log - portscan.enabled: false - portscan.logfile: /var/log/kern.log - portscan.synrate: 5 - portscan.nmaposrate: 5 - portscan.lorate: 3 - tcpbanner.maxnum: 10 - tcpbanner.enabled: false - tcpbanner_1.enabled: false - tcpbanner_1.port: 8001 - tcpbanner_1.datareceivedbanner: '' - tcpbanner_1.initbanner: '' - tcpbanner_1.alertstring.enabled: false - tcpbanner_1.keep_alive.enabled: false - tcpbanner_1.keep_alive_secret: '' - tcpbanner_1.keep_alive_probes: 11 - tcpbanner_1.keep_alive_interval: 300 - tcpbanner_1.keep_alive_idle: 300 - ftp.enabled: false - ftp.port: 21 - ftp.banner: FTP server ready - git.enabled: false - git.port: 9418 - http.banner: Apache/2.2.34 (Ubuntu) - http.enabled: false - http.port: 80 - http.skin: nasLogin - http.skinlist: + portscan_x_enabled: false + portscan_x_logfile: /var/log/kern.log + portscan_x_synrate: 5 + portscan_x_nmaposrate: 5 + portscan_x_lorate: 3 + tcpbanner_x_maxnum: 10 + tcpbanner_x_enabled: false + tcpbanner_1_x_enabled: false + tcpbanner_1_x_port: 8001 + tcpbanner_1_x_datareceivedbanner: '' + tcpbanner_1_x_initbanner: '' + tcpbanner_1_x_alertstring_x_enabled: false + tcpbanner_1_x_keep_alive_x_enabled: false + tcpbanner_1_x_keep_alive_secret: '' + tcpbanner_1_x_keep_alive_probes: 11 + tcpbanner_1_x_keep_alive_interval: 300 + tcpbanner_1_x_keep_alive_idle: 300 + ftp_x_enabled: false + ftp_x_port: 21 + ftp_x_banner: FTP server ready + git_x_enabled: false + git_x_port: 9418 + http_x_banner: Apache/2.2.34 (Ubuntu) + http_x_enabled: false + http_x_port: 80 + http_x_skin: nasLogin + http_x_skinlist: - desc: Plain HTML Login name: basicLogin - desc: Synology NAS Login name: nasLogin - httpproxy.enabled: false - httpproxy.port: 8080 - httpproxy.skin: squid - httpproxy.skinlist: + httpproxy_x_enabled: false + httpproxy_x_port: 8080 + httpproxy_x_skin: squid + httpproxy_x_skinlist: - desc: Squid name: squid - desc: Microsoft ISA Server Web Proxy name: ms-isa - mssql.enabled: false - mssql.version: '2012' - mssql.port: 1433 - mysql.enabled: false - mysql.port: 3306 - mysql.banner: 5.5.43-0ubuntu0.14.04.1 - ntp.enabled: false - ntp.port: 123 - redis.enabled: false - redis.port: 6379 - sip.enabled: false - sip.port: 5060 - smb.auditfile: /var/log/samba-audit.log - smb.enabled: false - snmp.enabled: false - snmp.port: 161 - ssh.enabled: false - ssh.port: 22 - ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 - telnet.enabled: false - telnet.port: 23 - telnet.banner: '' - telnet.honeycreds: + mssql_x_enabled: false + mssql_x_version: '2012' + mssql_x_port: 1433 + mysql_x_enabled: false + mysql_x_port: 3306 + mysql_x_banner: 5.5.43-0ubuntu0.14.04.1 + ntp_x_enabled: false + ntp_x_port: 123 + redis_x_enabled: false + redis_x_port: 6379 + sip_x_enabled: false + sip_x_port: 5060 + smb_x_auditfile: /var/log/samba-audit.log + smb_x_enabled: false + snmp_x_enabled: false + snmp_x_port: 161 + ssh_x_enabled: true + ssh_x_port: 22 + ssh_x_version: SSH-2.0-OpenSSH_5.1p1 Debian-4 + telnet_x_enabled: false + telnet_x_port: 23 + telnet_x_banner: '' + telnet_x_honeycreds: - username: admin password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - username: admin password: admin1 - tftp.enabled: false - tftp.port: 69 - vnc.enabled: false - vnc.port: 5900 - openssh: - enable: true - config: - port: 2222 + tftp_x_enabled: false + tftp_x_port: 69 + vnc_x_enabled: false + vnc_x_port: 5900 diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja index fcc000379..f10cdc418 100644 --- a/salt/idh/idh.conf.jinja +++ b/salt/idh/idh.conf.jinja @@ -1 +1 @@ -{{ OPENCANARYCONFIG | tojson(True) }} \ No newline at end of file +{{ OPENCANARYCONFIG | tojson(True) | replace("_x_", ".") }} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 2cf22c358..52c707fa4 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -7,7 +7,8 @@ {% if sls in allowed_states %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} +{% from 'idh/opencanary_config.map.jinja' import RESTRICTIDHSERVICES %} +{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} include: - idh.openssh.config @@ -15,10 +16,9 @@ include: # If True, block IDH Services from accepting connections on Managment IP {% if RESTRICTIDHSERVICES %} - {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} - {% set idh_services = salt['pillar.get']('idh:services', []) %} + {% from 'idh/opencanary_config.map.jinja' import IDH_SERVICES %} - {% for service in idh_services %} + {% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} @@ -52,7 +52,6 @@ configdir: - group: 939 - makedirs: True -{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %} opencanary_config: file.managed: - name: /opt/so/conf/idh/opencanary.conf diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index 6833f3838..a8b85adbf 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,6 +1,6 @@ {# this list of services is used to loop through and add fw rules if the service is enabled #} {# smb is not in this list since it does not need any ports open #} -{% set idh_services = [ +{% set IDH_SERVICES = [ 'ftp', 'git', 'http', @@ -20,24 +20,24 @@ {% set IDH_PORTGROUPS = {} %} {% import_yaml "idh/defaults.yaml" as IDHCONFIG with context %} - +{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', default=IDHCONFIG.idh.restrict_management_ip) %} {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=IDHCONFIG.idh.opencanary.config, merge=True) %} {# update skinlist to skin.list to avoid issues with SOC UI config #} -{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http.skinlist') %} -{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy.skinlist') %} -{% do OPENCANARYCONFIG.update({'http.skin.list': HTTPSKINLIST}) %} -{% do OPENCANARYCONFIG.update({'httpproxy.skin.list': HTTPPROXYSKINLIST}) %} +{% set HTTPSKINLIST = OPENCANARYCONFIG.pop('http_x_skinlist') %} +{% set HTTPPROXYSKINLIST = OPENCANARYCONFIG.pop('httpproxy_x_skinlist') %} +{% do OPENCANARYCONFIG.update({'http_x_skin_x_list': HTTPSKINLIST}) %} +{% do OPENCANARYCONFIG.update({'httpproxy_x_skin_x_list': HTTPPROXYSKINLIST}) %} {% set OPENSSH = salt['pillar.get']('idh:openssh', default=IDHCONFIG.idh.openssh, merge=True) %} -{% for service in idh_services %} +{% for service in IDH_SERVICES %} {% if service in ["smnp","ntp", "tftp"] %} {% set proto = 'udp' %} {% else %} {% set proto = 'tcp' %} {% endif %} - {% if OPENCANARYCONFIG[service ~ '.enabled'] %} - {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '.port']]}}) %} + {% if OPENCANARYCONFIG[service ~ '_x_enabled'] %} + {% do IDH_PORTGROUPS.update({'idh_' ~ service: {proto: [OPENCANARYCONFIG[service ~ '_x_port']]}}) %} {% endif %} {% endfor %} diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 9a49cdfb8..8345ad761 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -19,108 +19,108 @@ idh: file: class: *loggingOptions filename: *loggingOptions - portscan.enabled: &serviceOptions + portscan_x_enabled: &serviceOptions description: To enable this IDH service set this value to true. To disable set to false. helpLink: idh.html - portscan.logfile: *loggingOptions - portscan.synrate: + portscan_x_logfile: *loggingOptions + portscan_x_synrate: description: Needs update advanced: True helpLink: idh.html - portscan.nmaposrate: + portscan_x_nmaposrate: description: Needs update advanced: True helpLink: idh.html - portscan.lorate: + portscan_x_lorate: description: Needs update advanced: True helpLink: idh.html - tcpbanner.maxnum: + tcpbanner_x_maxnum: description: Needs update advanced: True helpLink: idh.html - tcpbanner.enabled: *serviceOptions - tcpbanner_1.enabled: *serviceOptions - tcpbanner_1.port: &portOptions + tcpbanner_x_enabled: *serviceOptions + tcpbanner_1_x_enabled: *serviceOptions + tcpbanner_1_x_port: &portOptions description: Defined port the service should listen on. advanced: True helpLink: idh.html - tcpbanner_1.datareceivedbanner: &bannerOptions + tcpbanner_1_x_datareceivedbanner: &bannerOptions description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.initbanner: *bannerOptions - tcpbanner_1.alertstring.enabled: *serviceOptions - tcpbanner_1.keep_alive.enabled: *serviceOptions - tcpbanner_1.keep_alive_secret: + tcpbanner_1_x_initbanner: *bannerOptions + tcpbanner_1_x_alertstring_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions + tcpbanner_1_x_keep_alive_secret: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_probes: + tcpbanner_1_x_keep_alive_probes: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_interval: + tcpbanner_1_x_keep_alive_interval: description: Needs update advanced: True helpLink: idh.html - tcpbanner_1.keep_alive_idle: + tcpbanner_1_x_keep_alive_idle: description: Needs update advanced: True helpLink: idh.html - ftp.enabled: *serviceOptions - ftp.port: *portOptions - ftp.banner: *bannerOptions - git.enabled: *serviceOptions - git.port: *portOptions - http.banner: *bannerOptions - http.enabled: *serviceOptions - http.port: *portOptions - http.skin: &skinOptions + ftp_x_enabled: *serviceOptions + ftp_x_port: *portOptions + ftp_x_banner: *bannerOptions + git_x_enabled: *serviceOptions + git_x_port: *portOptions + http_x_banner: *bannerOptions + http_x_enabled: *serviceOptions + http_x_port: *portOptions + http_x_skin: &skinOptions description: advanced: True helplink: idh.html - http.skinlist: &skinlistOptions + http_x_skinlist: &skinlistOptions description: List of skins to use for the service. advanced: True helpLink: idh.html - httpproxy.enabled: *serviceOptions - httpproxy.port: *portOptions - httpproxy.skin: *skinOptions - httpproxy.skinlist: *skinlistOptions - mssql.enabled: *serviceOptions - mssql.version: &versionOptions + httpproxy_x_enabled: *serviceOptions + httpproxy_x_port: *portOptions + httpproxy_x_skin: *skinOptions + httpproxy_x_skinlist: *skinlistOptions + mssql_x_enabled: *serviceOptions + mssql_x_version: &versionOptions description: Specify the version the service should present. advanced: True helpLink: idh.html - mssql.port: *portOptions - mysql.enabled: *serviceOptions - mysql.port: *portOptions - mysql.banner: *bannerOptions - ntp.enabled: *serviceOptions - ntp.port: *portOptions - redis.enabled: *serviceOptions - redis.port: *portOptions - sip.enabled: *serviceOptions - sip.port: *portOptions - smb.auditfile: *loggingOptions - smb.enabled: *serviceOptions - snmp.enabled: *serviceOptions - snmp.port: *portOptions - ssh.enabled: *serviceOptions - ssh.port: *portOptions - ssh.version: *versionOptions - telnet.enabled: *serviceOptions - telnet.port: *portOptions - telnet.banner: *bannerOptions - telnet.honeycreds: + mssql_x_port: *portOptions + mysql_x_enabled: *serviceOptions + mysql_x_port: *portOptions + mysql_x_banner: *bannerOptions + ntp_x_enabled: *serviceOptions + ntp_x_port: *portOptions + redis_x_enabled: *serviceOptions + redis_x_port: *portOptions + sip_x_enabled: *serviceOptions + sip_x_port: *portOptions + smb_x_auditfile: *loggingOptions + smb_x_enabled: *serviceOptions + snmp_x_enabled: *serviceOptions + snmp_x_port: *portOptions + ssh_x_enabled: *serviceOptions + ssh_x_port: *portOptions + ssh_x_version: *versionOptions + telnet_x_enabled: *serviceOptions + telnet_x_port: *portOptions + telnet_x_banner: *bannerOptions + telnet_x_honeycreds: description: Credentials list for the telnet service. advanced: True helpLink: idh.html - tftp.enabled: *serviceOptions - tftp.port: *portOptions - vnc.enabled: *serviceOptions - vnc.port: *portOptions + tftp_x_enabled: *serviceOptions + tftp_x_port: *portOptions + vnc_x_enabled: *serviceOptions + vnc_x_port: *portOptions openssh: enable: description: This is the other SSH for the host machine. Needs better descirption. From a9dc7a14cb171c8e0e807c5419822d48b3073d2e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 24 Mar 2023 13:56:51 -0400 Subject: [PATCH 404/470] fix GeoIP queries --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 502a83fad..bc0286f5e 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1567,13 +1567,13 @@ soc: query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' - name: GeoIP - Destination Countries description: GeoIP tagged logs visualized by destination countries - query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module' + query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.organization_name | groupby event.dataset | groupby event.module' - name: GeoIP - Destination Organizations description: GeoIP tagged logs visualized by destination organizations query: '* AND _exists_:destination_geo.organization_name | groupby destination_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module' - name: GeoIP - Source Countries description: GeoIP tagged logs visualized by source countries - query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' + query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.organization_name | groupby event.dataset | groupby event.module' - name: GeoIP - Source Organizations description: GeoIP tagged logs visualized by source organizations query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' From b2c2e1574fc3e6189afe9ea5582d4aa590fa6588 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Mar 2023 14:02:13 -0400 Subject: [PATCH 405/470] Switch Repos --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 807d29575..97c250954 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1978,7 +1978,7 @@ repo_sync_local() { echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf - echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf + echo "baseurl=https://so-repo-east.s3.us-east-005.backblazeb2.com/2.4/" >> /opt/so/conf/reposync/repodownload.conf echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf From 5be5466efed5dccac6afc66461fb3d3b92d43136 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 24 Mar 2023 14:03:12 -0400 Subject: [PATCH 406/470] fix GeoIP queries --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index bc0286f5e..8572ed7ce 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1567,13 +1567,13 @@ soc: query: '* AND _exists_:network.vlan.id | groupby network.vlan.id | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby event.dataset | groupby event.module | groupby observer.name | groupby source.geo.country_name | groupby destination.geo.country_name' - name: GeoIP - Destination Countries description: GeoIP tagged logs visualized by destination countries - query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.organization_name | groupby event.dataset | groupby event.module' + query: '* AND _exists_:destination.geo.country_name | groupby destination.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name | groupby event.dataset | groupby event.module' - name: GeoIP - Destination Organizations description: GeoIP tagged logs visualized by destination organizations query: '* AND _exists_:destination_geo.organization_name | groupby destination_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby destination.geo.country_name | groupby event.dataset | groupby event.module' - name: GeoIP - Source Countries description: GeoIP tagged logs visualized by source countries - query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.organization_name | groupby event.dataset | groupby event.module' + query: '* AND _exists_:source.geo.country_name | groupby source.geo.country_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source_geo.organization_name | groupby event.dataset | groupby event.module' - name: GeoIP - Source Organizations description: GeoIP tagged logs visualized by source organizations query: '* AND _exists_:source_geo.organization_name | groupby source_geo.organization_name | groupby source.ip | groupby -sankey source.ip destination.ip | groupby destination.ip | groupby destination.port | groupby source.geo.country_name | groupby event.dataset | groupby event.module' From afe4d75d91ae80e3dd671e4f00976d7e225666e7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Mar 2023 14:13:48 -0400 Subject: [PATCH 407/470] Switch Repos --- setup/so-functions | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 97c250954..de56b32c6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1968,6 +1968,8 @@ repo_sync_local() { info "Backing up old repos" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache + echo "https://repo.securityonion.net/file/so-repo/2.4/" > /opt/so/conf/reposync/mirror.txt + echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/2.4/" >> /opt/so/conf/reposync/mirrors.txt echo "[main]" > /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf @@ -1978,7 +1980,8 @@ repo_sync_local() { echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf - echo "baseurl=https://so-repo-east.s3.us-east-005.backblazeb2.com/2.4/" >> /opt/so/conf/reposync/repodownload.conf + #echo "baseurl=https://repo.securityonion.net/file/so-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf + echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf From cb2fdae3683947cc66e1a6edbc76234a5cc226de Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 24 Mar 2023 14:40:59 -0400 Subject: [PATCH 408/470] Switch Repos --- setup/so-functions | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index de56b32c6..de7eaa57f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1969,7 +1969,7 @@ repo_sync_local() { mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache echo "https://repo.securityonion.net/file/so-repo/2.4/" > /opt/so/conf/reposync/mirror.txt - echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/2.4/" >> /opt/so/conf/reposync/mirrors.txt + echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/2.4/" >> /opt/so/conf/reposync/mirror.txt echo "[main]" > /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf @@ -1980,12 +1980,11 @@ repo_sync_local() { echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf - #echo "baseurl=https://repo.securityonion.net/file/so-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf + echo "#baseurl=https://repo.securityonion.net/file/so-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf echo "mirrorlist=file:///opt/so/conf/reposync/mirror.txt" >> /opt/so/conf/reposync/repodownload.conf echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf - echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf - + logCmd "dnf repolist" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" From 1a6d887b5fffb638da84a96a79b3eb369102b7a4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 24 Mar 2023 16:16:22 -0400 Subject: [PATCH 409/470] idh setup changes --- salt/idh/init.sls | 4 ++-- setup/so-functions | 12 ------------ setup/so-setup | 2 +- 3 files changed, 3 insertions(+), 15 deletions(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 52c707fa4..20a6412ce 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -24,14 +24,14 @@ include: {% else %} {% set proto = 'tcp' %} {% endif %} -block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} : +block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'_x_port'] }} : iptables.insert: - table: filter - chain: INPUT - jump: DROP - position: 1 - proto: {{ proto }} - - dport: {{ OPENCANARYCONFIG[service~'.port'] }} + - dport: {{ OPENCANARYCONFIG[service~'_x_port'] }} - destination: {{ GLOBALS.node_ip }} {% endfor %} {% endif %} diff --git a/setup/so-functions b/setup/so-functions index 807d29575..c58760059 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1311,18 +1311,6 @@ import_registry_docker() { idh_pillar() { touch $adv_idh_pillar_file - title "Create the IDH Pillar" - printf '%s\n'\ - "idh:"\ - " listen_on_mgnt_int: True"\ - " services:"\ - " - HTTP"\ - " - FTP"\ - " - MYSQL"\ - " - MSSQL"\ - " - VNC"\ - " - SSH" > "$idh_pillar_file" - } logstash_pillar() { diff --git a/setup/so-setup b/setup/so-setup index 88a2fd045..06c156305 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -475,7 +475,7 @@ if ! [[ -f $install_opt_file ]]; then collect_mngr_hostname add_mngr_ip_to_hosts check_manager_connection - collect_idh_services + #collect_idh_services (this may be added back sometime in the future) collect_idh_preferences set_minion_info whiptail_end_settings From 82462939830c5f2518a4cab25464b26959d0e746 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 08:40:36 -0400 Subject: [PATCH 410/470] Add unzip --- salt/common/packages.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index e5e75c47a..2ed82c895 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -52,4 +52,5 @@ commonpkgs: - rsync - python3-rich - python3-watchdog + - unzip {% endif %} From 72d01b13edc2e3316771b7ab88f3d9036b620bed Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 10:12:13 -0400 Subject: [PATCH 411/470] Modify reposync useragent --- salt/manager/files/so-repo-sync | 2 +- setup/so-functions | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/manager/files/so-repo-sync b/salt/manager/files/so-repo-sync index 051a1fff7..3e129cd0d 100644 --- a/salt/manager/files/so-repo-sync +++ b/salt/manager/files/so-repo-sync @@ -11,6 +11,6 @@ set_version set_os salt_minion_count -curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup +curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 18db0b7b4..0cd9a17bb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1975,7 +1975,8 @@ repo_sync_local() { logCmd "dnf repolist" # Make sure we can get to the sig repo - logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" + # TODO Add if for ISO install + curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 16025512952f68473984a999d03e290afba25c73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 10:14:32 -0400 Subject: [PATCH 412/470] Modify reposync useragent --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0cd9a17bb..b4965cc8d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1976,7 +1976,7 @@ repo_sync_local() { logCmd "dnf repolist" # Make sure we can get to the sig repo # TODO Add if for ISO install - curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install + curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 2a288c7e4aebb2333ee7c133eb8740f53a9c2b34 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 10:18:57 -0400 Subject: [PATCH 413/470] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b4965cc8d..307a03d8f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1976,7 +1976,7 @@ repo_sync_local() { logCmd "dnf repolist" # Make sure we can get to the sig repo # TODO Add if for ISO install - curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install + curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 7f395c4c1ebc8fa63f31e87fc24419fe14fc5db6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 10:49:36 -0400 Subject: [PATCH 414/470] Update so-common --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 5cdb9e57a..49b0d0527 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -370,7 +370,7 @@ run_check_net_err() { salt_minion_count() { local MINIONDIR="/opt/so/saltstack/local/pillar/minions" - MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep sls | wc -l) + MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l) } From 42cc419e00814a77d1ac3b9b613380f1dfeea377 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Mar 2023 11:30:03 -0400 Subject: [PATCH 415/470] restart salt master and minion after manager install completes --- setup/so-setup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 06c156305..f51ddb316 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -633,6 +633,8 @@ if ! [[ -f $install_opt_file ]]; then fi checkin_at_boot set_initial_firewall_access + systemctl restart salt-master + systemctl restart salt-minion verify_setup else touch /root/accept_changes From 2cb6f0f1e6795e492bd93e55a746a5222b382e90 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 12:30:39 -0400 Subject: [PATCH 416/470] Add curator settings --- salt/elasticsearch/defaults.yaml | 2 ++ salt/elasticsearch/soc_elasticsearch.yaml | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3649d015e..37f55ddc7 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,4 +1,6 @@ elasticsearch: + retention: + retention_pct: 50 config: node: {} cluster: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d7c310687..ded8e5be6 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -1,7 +1,12 @@ elasticsearch: esheap: description: Specify the memory heap size in (m)egabytes for Elasticsearch. - helpLink: elasticsearch.html + helpLink: elasticsearch.html + retention: + retention_pct: + decription: Total percentage of space used by Elasticsearch for multi node clusters + helpLink: elasticsearch.yaml + global: True config: cluster: name: From 6c3c5730c5550f01d71097d62cfc338186bfd9e7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 27 Mar 2023 12:33:34 -0400 Subject: [PATCH 417/470] Add curator settings --- salt/curator/files/action/delete.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index fb8ae30cb..c81a9e548 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -3,6 +3,11 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %} +{% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %} + +{{ ELASTICMERGED.retention_pct }} + {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit') %} actions: 1: From 0d87a5d7392ca08a54d4a9628d4f50e4122ccdec Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Mar 2023 12:51:29 -0400 Subject: [PATCH 418/470] import sensor vars in import vars --- salt/vars/import.map.jinja | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/vars/import.map.jinja b/salt/vars/import.map.jinja index 198db31dd..f9dfa0c25 100644 --- a/salt/vars/import.map.jinja +++ b/salt/vars/import.map.jinja @@ -1,10 +1,12 @@ {% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %} {% set ROLE_GLOBALS = {} %} {% set IMPORT_GLOBALS = [ - ELASTICSEARCH_GLOBALS + ELASTICSEARCH_GLOBALS, + SENSOR_GLOBALS ] %} From d22a5b2eb3733a20ba8937fb693deb0330e7d949 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 27 Mar 2023 15:16:47 -0400 Subject: [PATCH 419/470] Add annotations --- pillar/top.sls | 2 ++ salt/idh/soc_idh.yaml | 26 +++++++++++++------------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index c16b556d1..438aff576 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -157,6 +157,8 @@ base: '*_idh': - soc_global - adv_global + - idh.soc_idh + - idh.adv_idh - minions.{{ grains.id }} - minions.adv_{{ grains.id }} diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index 8345ad761..b00bc2d34 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -20,52 +20,52 @@ idh: class: *loggingOptions filename: *loggingOptions portscan_x_enabled: &serviceOptions - description: To enable this IDH service set this value to true. To disable set to false. + description: To enable this opencanary module, set this value to true. To disable set to false. helpLink: idh.html portscan_x_logfile: *loggingOptions portscan_x_synrate: - description: Needs update + description: Portscan - syn rate limiting advanced: True helpLink: idh.html portscan_x_nmaposrate: - description: Needs update + description: Portscan - nmap OS rate limiting advanced: True helpLink: idh.html portscan_x_lorate: - description: Needs update + description: Portscan - lo rate limiting advanced: True helpLink: idh.html tcpbanner_x_maxnum: - description: Needs update + description: Portscan - maxnum advanced: True helpLink: idh.html tcpbanner_x_enabled: *serviceOptions tcpbanner_1_x_enabled: *serviceOptions tcpbanner_1_x_port: &portOptions - description: Defined port the service should listen on. + description: Port the service should listen on. advanced: True helpLink: idh.html tcpbanner_1_x_datareceivedbanner: &bannerOptions - description: Needs update + description: Data Received Banner advanced: True helpLink: idh.html tcpbanner_1_x_initbanner: *bannerOptions tcpbanner_1_x_alertstring_x_enabled: *serviceOptions tcpbanner_1_x_keep_alive_x_enabled: *serviceOptions tcpbanner_1_x_keep_alive_secret: - description: Needs update + description: Keep Alive Secret advanced: True helpLink: idh.html tcpbanner_1_x_keep_alive_probes: - description: Needs update + description: Keep Alive Probes advanced: True helpLink: idh.html tcpbanner_1_x_keep_alive_interval: - description: Needs update + description: Keep Alive Interval advanced: True helpLink: idh.html tcpbanner_1_x_keep_alive_idle: - description: Needs update + description: Keep Alive Idle advanced: True helpLink: idh.html ftp_x_enabled: *serviceOptions @@ -123,9 +123,9 @@ idh: vnc_x_port: *portOptions openssh: enable: - description: This is the other SSH for the host machine. Needs better descirption. + description: This is the real SSH service for the host machine. helpLink: idh.html config: port: - description: Port that ssh will listen on and only accessible from the manager. + description: Port that the real SSH service will listen on and will only accessible from the manager. helpLink: idh.html From 2b1576249a9ae1bcd24f3f8b8e4bcd6ee14f1be7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Mar 2023 16:44:21 -0400 Subject: [PATCH 420/470] add minion CIDR to search also --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 96c357c74..7d06f7542 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2289,7 +2289,8 @@ set_initial_firewall_access() { $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true fi if [[ ! -z "$MINION_CIDR" ]]; then - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=true + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=search --ip=$MINION_CIDR --apply=true fi } From fcb6f3eaf183c775d4e85849e5bb8a4befd0ef3c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Mar 2023 16:59:27 -0400 Subject: [PATCH 421/470] remove default zeek bpf --- salt/bpf/defaults.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml index e9bc76dfb..5e74c3942 100644 --- a/salt/bpf/defaults.yaml +++ b/salt/bpf/defaults.yaml @@ -1,5 +1,4 @@ bpf: pcap: [] suricata: [] - zeek: - - ip or not ip + zeek: [] From 34cd823cd4c7e0443910e3db753f2665b236491d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 27 Mar 2023 18:59:32 -0400 Subject: [PATCH 422/470] fix role --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 7d06f7542..44747c26d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2290,7 +2290,7 @@ set_initial_firewall_access() { fi if [[ ! -z "$MINION_CIDR" ]]; then $default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=false - $default_salt_dir/salt/common/tools/sbin/so-firewall --role=search --ip=$MINION_CIDR --apply=true + $default_salt_dir/salt/common/tools/sbin/so-firewall --role=searchnodes --ip=$MINION_CIDR --apply=true fi } From 934b8894e2de0751a4008ea1b0c2a87ba73d0e64 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 00:54:04 +0000 Subject: [PATCH 423/470] Update Curator scripts --- .../files/bin/so-curator-cluster-close | 0 .../files/bin/so-curator-cluster-delete | 38 ++++++++------ salt/curator/init.sls | 50 ++++++++++++++----- 3 files changed, 60 insertions(+), 28 deletions(-) mode change 100644 => 100755 salt/curator/files/bin/so-curator-cluster-close mode change 100644 => 100755 salt/curator/files/bin/so-curator-cluster-delete diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close old mode 100644 new mode 100755 diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete old mode 100644 new mode 100755 index 34c3c10cf..e99e88659 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -4,7 +4,27 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -APP=delete + +#. /usr/sbin/so-elastic-common +#. /etc/nsm/securityonion.conf + +# If logrotate script doesn't already exist, create it +#FILE="/etc/logrotate.d/so-curator-cluster-delete" +#if ! [ -f ${FILE} ]; then +# cat << EOF > ${FILE} +#/var/log/nsm/so-curator-cluster-delete.log { +# daily +# rotate 7 +# copytruncate +# compress +# missingok +# notifempty +#} +#EOF +#fi + +# Avoid starting multiple instances +APP=clusterdelete lf=/tmp/$APP-pidLockFile # create empty lock file if none exists cat /dev/null >> $lf @@ -13,18 +33,4 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-kratos-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-import-so-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-strelka-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-suricata-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-syslog-delete.yml > /dev/null 2>&1; -docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/logs-zeek-delete.yml > /dev/null 2>&1; +/usr/sbin/so-curator-cluster-delete-delete diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 94a666f53..7ef48a382 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -5,12 +5,6 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from "curator/map.jinja" import CURATOROPTIONS %} -{% from "curator/map.jinja" import CURATORMERGED %} -{% set REMOVECURATORCRON = False %} - # Curator # Create the group curatorgroup: @@ -27,6 +21,17 @@ curator: - createhome: False # Create the log directory +curlogdir: + file.directory: + - name: /opt/so/log/curator + - user: 934 + - group: 939 +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager']%} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from "curator/map.jinja" import CURATOROPTIONS %} +{% from "curator/map.jinja" import CURATORMERGED %} +{% set REMOVECURATORCRON = False %} curactiondir: file.directory: - name: /opt/so/conf/curator/action @@ -34,12 +39,6 @@ curactiondir: - group: 939 - makedirs: True -curlogdir: - file.directory: - - name: /opt/so/log/curator - - user: 934 - - group: 939 - actionconfs: file.recurse: - name: /opt/so/conf/curator/action @@ -172,7 +171,34 @@ so-curatorclusterdelete: - daymonth: '*' - month: '*' - dayweek: '*' +{% else %} +curnodedel: + file.managed: + - name: /usr/sbin/so-curator-node-delete + - source: salt://curator/files/bin/so-curator-node-delete + - user: 934 + - group: 939 + - mode: 755 +curnodedeldel: + file.managed: + - name: /usr/sbin/so-curator-node-delete-delete + - source: salt://curator/files/bin/so-curator-node-delete-delete + - user: 934 + - group: 939 + - mode: 755 + - template: jinja + +so-curatornodedeletecron: + cron.present: + - name: /usr/sbin/so-curator-node-delete > /opt/so/log/curator/cron-node-delete.log 2>&1 + - user: root + - minute: '*/5' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' +{% endif %} {% else %} {{sls}}_state_not_allowed: From 7030f3556180fcfb5e76abddcc5f47e47621b290 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 00:54:36 +0000 Subject: [PATCH 424/470] Update Curator state --- salt/curator/init.sls | 93 ++++++++++--------------------------------- 1 file changed, 20 insertions(+), 73 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 7ef48a382..d6267881e 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -5,6 +5,12 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'docker/docker.map.jinja' import DOCKER %} +{% from "curator/map.jinja" import CURATOROPTIONS %} +{% from "curator/map.jinja" import CURATORMERGED %} +{% set REMOVECURATORCRON = False %} + # Curator # Create the group curatorgroup: @@ -26,12 +32,7 @@ curlogdir: - name: /opt/so/log/curator - user: 934 - group: 939 -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-managersearch', 'so-heavynode', 'so-manager']%} -{% from 'docker/docker.map.jinja' import DOCKER %} -{% from "curator/map.jinja" import CURATOROPTIONS %} -{% from "curator/map.jinja" import CURATORMERGED %} -{% set REMOVECURATORCRON = False %} + curactiondir: file.directory: - name: /opt/so/conf/curator/action @@ -49,7 +50,6 @@ actionconfs: - defaults: CURATORMERGED: {{ CURATORMERGED }} - curconf: file.managed: - name: /opt/so/conf/curator/curator.yml @@ -60,40 +60,6 @@ curconf: - template: jinja - show_changes: False -curcloseddel: - file.managed: - - name: /usr/sbin/so-curator-closed-delete - - source: salt://curator/files/bin/so-curator-closed-delete - - user: 934 - - group: 939 - - mode: 755 - -curcloseddeldel: - file.managed: - - name: /usr/sbin/so-curator-closed-delete-delete - - source: salt://curator/files/bin/so-curator-closed-delete-delete - - user: 934 - - group: 939 - - mode: 755 - - template: jinja - -curclose: - file.managed: - - name: /usr/sbin/so-curator-close - - source: salt://curator/files/bin/so-curator-close - - user: 934 - - group: 939 - - mode: 755 - - template: jinja - -curdel: - file.managed: - - name: /usr/sbin/so-curator-delete - - source: salt://curator/files/bin/so-curator-delete - - user: 934 - - group: 939 - - mode: 755 - curclusterclose: file.managed: - name: /usr/sbin/so-curator-cluster-close @@ -103,13 +69,21 @@ curclusterclose: - mode: 755 - template: jinja -curclusterdelete: +curclusterdelete: file.managed: - - name: /usr/sbin/so-curator-cluster-delete + - name: /usr/sbin/so-curator-delete-delete - source: salt://curator/files/bin/so-curator-cluster-delete - user: 934 - group: 939 - mode: 755 + +curclusterdeletedelete: + file.managed: + - name: /usr/sbin/so-curator-cluster-delete-delete + - source: salt://curator/files/bin/so-curator-cluster-delete-delete + - user: 934 + - group: 939 + - mode: 755 - template: jinja so-curator: @@ -162,43 +136,16 @@ so-curatorclusterclose: - month: '*' - dayweek: '*' -so-curatorclusterdelete: +so-curatorclusterdeletecron: cron.present: - - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1 - - user: root - - minute: '2' - - hour: '*/1' - - daymonth: '*' - - month: '*' - - dayweek: '*' -{% else %} -curnodedel: - file.managed: - - name: /usr/sbin/so-curator-node-delete - - source: salt://curator/files/bin/so-curator-node-delete - - user: 934 - - group: 939 - - mode: 755 - -curnodedeldel: - file.managed: - - name: /usr/sbin/so-curator-node-delete-delete - - source: salt://curator/files/bin/so-curator-node-delete-delete - - user: 934 - - group: 939 - - mode: 755 - - template: jinja - -so-curatornodedeletecron: - cron.present: - - name: /usr/sbin/so-curator-node-delete > /opt/so/log/curator/cron-node-delete.log 2>&1 + - name: /usr/sbin/so-curator-cluster-delete-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1 - user: root - minute: '*/5' - hour: '*' - daymonth: '*' - month: '*' - dayweek: '*' -{% endif %} + {% else %} {{sls}}_state_not_allowed: From 32e92d10ad0718ef87e25ecf8b58ca6d6e319cd1 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 00:55:56 +0000 Subject: [PATCH 425/470] Add new cluster space management scripts --- .../so-elasticsearch-cluster-space-configure | 41 +++++++++++++++ .../sbin/so-elasticsearch-cluster-space-total | 51 +++++++++++++++++++ .../sbin/so-elasticsearch-cluster-space-used | 23 +++++++++ 3 files changed, 115 insertions(+) create mode 100755 salt/common/tools/sbin/so-elasticsearch-cluster-space-configure create mode 100755 salt/common/tools/sbin/so-elasticsearch-cluster-space-total create mode 100755 salt/common/tools/sbin/so-elasticsearch-cluster-space-used diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure b/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure new file mode 100755 index 000000000..70fb37e3e --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +# Determine available disk space +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %} +{% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %} + +# Wait for ElasticSearch to initialize +#COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + break + else + ((COUNT+=1)) + sleep 1 + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 +fi + +AVAILABLE_SPACE=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ ELASTICMERGED.retention_pct }}) +ELASTICSEARCH_PILLAR="/opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls" +if grep -q log_size_limit $ELASTICSEARCH_PILLAR ; then + sed -i s"/log_size_limit:.*/log_size_limit: $AVAILABLE_SPACE/" $ELASTICSEARCH_PILLAR +else + echo " retention:" >> $ELASTICSEARCH_PILLAR + echo " log_size_limit: $AVAILABLE_SPACE" >> $ELASTICSEARCH_PILLAR +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total new file mode 100755 index 000000000..962d515e2 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total @@ -0,0 +1,51 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +TOTAL_AVAILABLE_SPACE=0 + +# Wait for ElasticSearch to initialize +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + break + else + ((COUNT+=1)) + sleep 1 + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 +fi + +# Set percentage of space to desired value, otherwise use a default value of 80 percent +if [[ "$1" != "" ]]; then + PERCENTAGE=$1 +else + PERCENTAGE=80 +fi + +# Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space +for i in $(so-elasticsearch-query _cat/allocation | awk '{print $5}'); do + size=$(echo $i | grep -oE '[0-9]+') + unit=$(echo $i | grep -oE '[A-Za-z]+') + if [ $unit = "tb" ]; then + size=$(( size * 1024 )) + fi + TOTAL_AVAILABLE_SPACE=$(( TOTAL_AVAILABLE_SPACE + size )) +done + +# Calculate the percentage of available space based on our previously defined value +PERCENTAGE_AVAILABLE_SPACE=$(( TOTAL_AVAILABLE_SPACE*PERCENTAGE/100 )) +echo "$PERCENTAGE_AVAILABLE_SPACE" diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-used b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used new file mode 100755 index 000000000..3e8832ba0 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used @@ -0,0 +1,23 @@ +#!/bin/bash +# +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common + +TOTAL_AVAILABLE_SPACE=0 + +# Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space +for i in $(so-elasticsearch-query _cat/allocation | awk '{print $3}'); do + size=$(echo $i | grep -oE '[0-9].*' | awk '{print int($1+0.5)}') + unit=$(echo $i | grep -oE '[A-Za-z]+') + if [ $unit = "tb" ]; then + size=$(( size * 1024 )) + fi + TOTAL_AVAILABLE_SPACE=$(( TOTAL_AVAILABLE_SPACE + size )) +done + +# Calculate the percentage of available space based on our previously defined value +echo "$TOTAL_AVAILABLE_SPACE" From fc0b9fa47cb598faeaf43caec4028a507801563c Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 00:57:45 +0000 Subject: [PATCH 426/470] Remove Curator closed index deletion scripts --- .../files/bin/so-curator-closed-delete | 36 -------- .../files/bin/so-curator-closed-delete-delete | 61 ------------- .../bin/so-curator-cluster-delete-delete | 86 +++++++++++++++++++ 3 files changed, 86 insertions(+), 97 deletions(-) delete mode 100755 salt/curator/files/bin/so-curator-closed-delete delete mode 100755 salt/curator/files/bin/so-curator-closed-delete-delete create mode 100755 salt/curator/files/bin/so-curator-cluster-delete-delete diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete deleted file mode 100755 index e585df406..000000000 --- a/salt/curator/files/bin/so-curator-closed-delete +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -#. /usr/sbin/so-elastic-common -#. /etc/nsm/securityonion.conf - -# If logrotate script doesn't already exist, create it -#FILE="/etc/logrotate.d/so-curator-closed-delete" -#if ! [ -f ${FILE} ]; then -# cat << EOF > ${FILE} -#/var/log/nsm/so-curator-closed-delete.log { -# daily -# rotate 7 -# copytruncate -# compress -# missingok -# notifempty -#} -#EOF -#fi - -# Avoid starting multiple instances -APP=closeddelete -lf=/tmp/$APP-pidLockFile -# create empty lock file if none exists -cat /dev/null >> $lf -read lastPID < $lf -# if lastPID is not null and a process with that pid exists , exit -[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit -echo $$ > $lf - -/usr/sbin/so-curator-closed-delete-delete diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete deleted file mode 100755 index fe62d3bf5..000000000 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -{% from 'vars/globals.map.jinja' import GLOBALS %} -{%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port') -%} -{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set ELASTICSEARCH_HOST = GLOBALS.manager_ip -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port') -%} -{%- endif -%} -{%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit') -%} - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -LOG="/opt/so/log/curator/so-curator-closed-delete.log" - -overlimit() { - - [[ $(du -hs --block-size=1GB /nsm/elasticsearch/nodes | awk '{print $1}' ) -gt "{{LOG_SIZE_LIMIT}}" ]] -} - -closedindices() { - - # If we can't query Elasticsearch, then immediately return false. - curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 - [ $? -eq 1 ] && return false - # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. - # Next, filter out any so-case indices. - # Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices. - curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" -} - -# Check for 2 conditions: -# 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT? -# 2. Are there any closed indices that we can delete? -# If both conditions are true, keep on looping until one of the conditions is false. -while overlimit && closedindices; do - - # We need to determine OLDEST_INDEX: - # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. - # Next, filter out any so-case indices and only select the remaining logstash- or so- indices. - # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. - # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) - - # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. - curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} - - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG} - -done diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete new file mode 100755 index 000000000..4a1dec241 --- /dev/null +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -0,0 +1,86 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% from 'vars/globals.map.jinja' import GLOBALS %} +{%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} + {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port') -%} +{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} + {%- set ELASTICSEARCH_HOST = GLOBALS.manager_ip -%} + {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port') -%} +{%- endif -%} +{%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:retention:log_size_limit') -%} + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + + +LOG="/opt/so/log/curator/so-curator-cluster-delete.log" + +overlimit() { + + [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "{{LOG_SIZE_LIMIT}}" ]] +} + +closedindices() { + + # If we can't query Elasticsearch, then immediately return false. + /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close > /dev/null 2>&1 + [ $? -eq 1 ] && return false + # First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'. + # Next, filter out any so-case indices. + # Finally, use grep's -q option to return true if there are any remaining logstash-, so-, or .ds-logs- indices. + CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + for CLOSED_INDEX in ${CLOSED_INDICES}; do + # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. + # First, we need to check if the index is assigned as the current write index for a data stream + # To do so, we need to identify to which data stream this index is associated + DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" + DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} + fi + if ! overlimit; then + exit + fi + done +} + +while overlimit; do + + # We need to determine OLDEST_OPEN_INDEX: + # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. + # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. + # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. + OPEN_INDICES=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + #OLDEST_OPEN_INDEX=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3 | head -1) + + for OPEN_INDEX in ${OPEN_INDICES}; do + # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. + # First, we need to check if the index is assigned as the current write index for a data stream + # To do so, we need to identify to which data stream this index is associated + DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" + DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + fi + if ! overlimit; then + exit + fi + done +done + From a38aa903ac5626740b8035bb742ada608ff0c2bb Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 01:36:52 +0000 Subject: [PATCH 427/470] Configure cluster space settings --- salt/elasticsearch/init.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index b9caa2e89..e1d2b041b 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -372,6 +372,13 @@ so-es-cluster-settings: - docker_container: so-elasticsearch - file: es_sync_scripts +so-es-cluster-space-configure: + cmd.run: + - name: /usr/sbin/so-elasticsearch-cluster-space-configure + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + so-elasticsearch-ilm-policy-load: cmd.run: - name: /usr/sbin/so-elasticsearch-ilm-policy-load @@ -407,7 +414,6 @@ so-elasticsearch-roles-load: - docker_container: so-elasticsearch - file: es_sync_scripts - {% else %} {{sls}}_state_not_allowed: From c68235c169c7c3a383955c0e77f896f94ee6a6bf Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 02:27:27 +0000 Subject: [PATCH 428/470] Fix Curator script name --- salt/curator/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index d6267881e..f60bc9e28 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -71,7 +71,7 @@ curclusterclose: curclusterdelete: file.managed: - - name: /usr/sbin/so-curator-delete-delete + - name: /usr/sbin/so-curator-delete - source: salt://curator/files/bin/so-curator-cluster-delete - user: 934 - group: 939 From e2290d8a8e0606884940c53b8405e31c3c8bc619 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 12:19:36 +0000 Subject: [PATCH 429/470] Remove unncessary Salt logic for Elasticsearch --- .../curator/files/bin/so-curator-cluster-delete-delete | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 4a1dec241..73076851c 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -5,13 +5,7 @@ # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port') -%} -{%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set ELASTICSEARCH_HOST = GLOBALS.manager_ip -%} - {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port') -%} -{%- endif -%} +{%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:retention:log_size_limit') -%} # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one @@ -19,8 +13,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - - LOG="/opt/so/log/curator/so-curator-cluster-delete.log" overlimit() { From 4352825cebf47897dc4277d17af2f7e66cdf806d Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 12:25:49 +0000 Subject: [PATCH 430/470] Calculate log size limit every time so-curator-cluster-delete-delete runs --- salt/curator/files/bin/so-curator-cluster-delete-delete | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 73076851c..e2468b22e 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -5,8 +5,9 @@ # Elastic License 2.0. {% from 'vars/globals.map.jinja' import GLOBALS %} -{%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} -{%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:retention:log_size_limit') -%} +{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %} +{%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} +{%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%} # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at @@ -17,7 +18,7 @@ LOG="/opt/so/log/curator/so-curator-cluster-delete.log" overlimit() { - [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "{{LOG_SIZE_LIMIT}}" ]] + [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "/usr/sbin/so-elasticsearch-cluster-space-total{{ RETENTION.retention_pct}}" ]] } closedindices() { From 22e8e3be28d18c64c888acf9c2a78b256d288cf1 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 12:27:12 +0000 Subject: [PATCH 431/470] Remove the cluster space configuration script --- .../so-elasticsearch-cluster-space-configure | 41 ------------------- 1 file changed, 41 deletions(-) delete mode 100755 salt/common/tools/sbin/so-elasticsearch-cluster-space-configure diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure b/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure deleted file mode 100755 index 70fb37e3e..000000000 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-configure +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash -# -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -. /usr/sbin/so-common - -# Determine available disk space -{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICDEFAULTS %} -{% set ELASTICMERGED = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) %} - -# Wait for ElasticSearch to initialize -#COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null --silent --head --fail - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - break - else - ((COUNT+=1)) - sleep 1 - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 -fi - -AVAILABLE_SPACE=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ ELASTICMERGED.retention_pct }}) -ELASTICSEARCH_PILLAR="/opt/so/saltstack/local/pillar/elasticsearch/soc_elasticsearch.sls" -if grep -q log_size_limit $ELASTICSEARCH_PILLAR ; then - sed -i s"/log_size_limit:.*/log_size_limit: $AVAILABLE_SPACE/" $ELASTICSEARCH_PILLAR -else - echo " retention:" >> $ELASTICSEARCH_PILLAR - echo " log_size_limit: $AVAILABLE_SPACE" >> $ELASTICSEARCH_PILLAR -fi From f854d92cab671cea27c338659ba0a3182366f871 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 12:27:45 +0000 Subject: [PATCH 432/470] Remove the cluster space configuration script reference from the Elasticsearch state --- salt/elasticsearch/init.sls | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index e1d2b041b..e128c9dae 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -372,13 +372,6 @@ so-es-cluster-settings: - docker_container: so-elasticsearch - file: es_sync_scripts -so-es-cluster-space-configure: - cmd.run: - - name: /usr/sbin/so-elasticsearch-cluster-space-configure - - cwd: /opt/so - - require: - - docker_container: so-elasticsearch - so-elasticsearch-ilm-policy-load: cmd.run: - name: /usr/sbin/so-elasticsearch-ilm-policy-load From 46d9e0b804fe6170aa2502f0ed117321b6f3875c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 28 Mar 2023 08:53:05 -0400 Subject: [PATCH 433/470] Update soc_idh.yaml --- salt/idh/soc_idh.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idh/soc_idh.yaml b/salt/idh/soc_idh.yaml index b00bc2d34..60d0203f5 100644 --- a/salt/idh/soc_idh.yaml +++ b/salt/idh/soc_idh.yaml @@ -127,5 +127,5 @@ idh: helpLink: idh.html config: port: - description: Port that the real SSH service will listen on and will only accessible from the manager. + description: Port that the real SSH service will listen on and will only be accessible from the manager. helpLink: idh.html From adbc9df2223bd231944bfabca1db7f01a94a0686 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 12:54:32 +0000 Subject: [PATCH 434/470] Changes for LOG_SIZE_LIMIT --- salt/curator/files/bin/so-curator-cluster-delete-delete | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index e2468b22e..109c3380b 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -15,10 +15,10 @@ # Elastic License 2.0. LOG="/opt/so/log/curator/so-curator-cluster-delete.log" +LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) overlimit() { - - [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "/usr/sbin/so-elasticsearch-cluster-space-total{{ RETENTION.retention_pct}}" ]] + [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]] } closedindices() { @@ -41,7 +41,7 @@ closedindices() { # This should not be a write index, so we should be allowed to delete it /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit @@ -69,7 +69,7 @@ while overlimit; do # This should not be a write index, so we should be allowed to delete it /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit From d886265211a54a0f88aca790c7062302a2d46842 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Mar 2023 09:01:41 -0400 Subject: [PATCH 435/470] add elasticfleet state to top for eval node --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 6a403398d..cfcb8220e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -105,6 +105,7 @@ base: - playbook - redis {%- endif %} + - elasticfleet - docker_clean '*_manager and G@saltversion:{{saltversion}}': From b3b030958cbff6206871f3a35a9c115441c1ac88 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 13:17:23 +0000 Subject: [PATCH 436/470] Use explicit path to so-elasticsearch-query --- salt/curator/files/bin/so-curator-cluster-delete-delete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 109c3380b..ff77b9a39 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -55,7 +55,7 @@ while overlimit; do # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. - OPEN_INDICES=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) #OLDEST_OPEN_INDEX=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3 | head -1) for OPEN_INDEX in ${OPEN_INDICES}; do From a1394b9102461bbf7431c1e972dd929076ef2150 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 13:18:00 +0000 Subject: [PATCH 437/470] Use explicit path to so-elasticsearch-query --- salt/common/tools/sbin/so-elasticsearch-cluster-space-total | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total index 962d515e2..f7bd151ad 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total @@ -13,7 +13,7 @@ TOTAL_AVAILABLE_SPACE=0 COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null --silent --head --fail + /usr/sbin/so-elasticsearch-query / -k --output /dev/null --silent --head --fail if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" break @@ -37,7 +37,7 @@ else fi # Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space -for i in $(so-elasticsearch-query _cat/allocation | awk '{print $5}'); do +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $5}'); do size=$(echo $i | grep -oE '[0-9]+') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then From 1ab253b8c38e989388f5d0d5d78cbafbb7d73655 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 13:18:14 +0000 Subject: [PATCH 438/470] Use explicit path to so-elasticsearch-query --- salt/common/tools/sbin/so-elasticsearch-cluster-space-used | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-used b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used index 3e8832ba0..dbc35440d 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-used +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used @@ -10,7 +10,7 @@ TOTAL_AVAILABLE_SPACE=0 # Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space -for i in $(so-elasticsearch-query _cat/allocation | awk '{print $3}'); do +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $3}'); do size=$(echo $i | grep -oE '[0-9].*' | awk '{print int($1+0.5)}') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then From 82efce0b310d84df16cac53a880bd45abaa221b8 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 13:23:23 +0000 Subject: [PATCH 439/470] Ensure so-curator-cluster-delete is run to manage so-curator-cluster-delete-delete --- salt/curator/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index f60bc9e28..26a8edc0e 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -138,7 +138,7 @@ so-curatorclusterclose: so-curatorclusterdeletecron: cron.present: - - name: /usr/sbin/so-curator-cluster-delete-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1 + - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1 - user: root - minute: '*/5' - hour: '*' From 138b31270547873c81da3fced2da7a9ec058139a Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 13:52:59 +0000 Subject: [PATCH 440/470] Fix script name --- salt/curator/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 26a8edc0e..36f1261fe 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -71,7 +71,7 @@ curclusterclose: curclusterdelete: file.managed: - - name: /usr/sbin/so-curator-delete + - name: /usr/sbin/so-curator-cluster-delete - source: salt://curator/files/bin/so-curator-cluster-delete - user: 934 - group: 939 From e1bda5acfd80b88d9e5b74f99af833156b91e5b1 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 14:18:27 +0000 Subject: [PATCH 441/470] Update verbiage for so-curator-cluster-delete-delete --- .../bin/so-curator-cluster-delete-delete | 52 +++++++++---------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index ff77b9a39..2818dd506 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -9,11 +9,6 @@ {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%} -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - LOG="/opt/so/log/curator/so-curator-cluster-delete.log" LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) @@ -26,22 +21,26 @@ closedindices() { # If we can't query Elasticsearch, then immediately return false. /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close > /dev/null 2>&1 [ $? -eq 1 ] && return false - # First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'. + # We need to determine the oldest closed index. + # First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'. # Next, filter out any so-case indices. # Finally, use grep's -q option to return true if there are any remaining logstash-, so-, or .ds-logs- indices. CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - for CLOSED_INDEX in ${CLOSED_INDICES}; do - # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. - # First, we need to check if the index is assigned as the current write index for a data stream + # We iterate through the closed indices + for CLOSED_INDEX in ${CLOSED_INDICES}; do + # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated + # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + # We look up the data stream, and determine the write index CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) - if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} + # We make sure we are not trying to delete a write index + if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit @@ -51,25 +50,26 @@ closedindices() { while overlimit; do - # We need to determine OLDEST_OPEN_INDEX: + # We need to determine the oldest open index. # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - #OLDEST_OPEN_INDEX=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3 | head -1) - - for OPEN_INDEX in ${OPEN_INDICES}; do - # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. - # First, we need to check if the index is assigned as the current write index for a data stream + # We iterate through the open indices + for OPEN_INDEX in ${OPEN_INDICES}; do + # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated + # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN") - CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) - if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + # We look up the data stream, and determine the write index + CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + # We make sure we are not trying to delete a write index + if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit From d494381e9d99273f5cd1149c3271f2818cac3ec6 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 14:18:49 +0000 Subject: [PATCH 442/470] Update verbiage for so-curator-cluster-delete --- .../files/bin/so-curator-cluster-delete | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index e99e88659..0f7945b78 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -4,25 +4,6 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - -#. /usr/sbin/so-elastic-common -#. /etc/nsm/securityonion.conf - -# If logrotate script doesn't already exist, create it -#FILE="/etc/logrotate.d/so-curator-cluster-delete" -#if ! [ -f ${FILE} ]; then -# cat << EOF > ${FILE} -#/var/log/nsm/so-curator-cluster-delete.log { -# daily -# rotate 7 -# copytruncate -# compress -# missingok -# notifempty -#} -#EOF -#fi - # Avoid starting multiple instances APP=clusterdelete lf=/tmp/$APP-pidLockFile From 9411f5ca79f760f77aa43eb320eb68505477bb99 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 28 Mar 2023 10:54:21 -0400 Subject: [PATCH 443/470] Fix closed index function and check --- .../bin/so-curator-cluster-delete-delete | 95 ++++++++++--------- 1 file changed, 51 insertions(+), 44 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 2818dd506..4f136274e 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -9,67 +9,47 @@ {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + LOG="/opt/so/log/curator/so-curator-cluster-delete.log" LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) overlimit() { - [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]] + [[ $(/usr/sbin/so-elasticsearch-cluster-space-used) -gt "${LOG_SIZE_LIMIT}" ]] } closedindices() { - # If we can't query Elasticsearch, then immediately return false. /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close > /dev/null 2>&1 [ $? -eq 1 ] && return false - # We need to determine the oldest closed index. - # First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'. + # First, get the list of closed indices using _cat/indices?h=index,status | grep close | awk '{print $1}'. # Next, filter out any so-case indices. # Finally, use grep's -q option to return true if there are any remaining logstash-, so-, or .ds-logs- indices. - CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - # We iterate through the closed indices - for CLOSED_INDEX in ${CLOSED_INDICES}; do - # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream - # To do so, we need to identify to which data stream this index is associated - # We extract the data stream name using the pattern below - DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" - DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN") - # We look up the data stream, and determine the write index - CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) - # We make sure we are not trying to delete a write index - if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} - fi - if ! overlimit; then - exit - fi - done + /usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -q -E "(logstash-|so-|.ds-logs-)" } -while overlimit; do +# Check for 2 conditions: +# 1. Are Elasticsearch indices using more disk space than LOG_SIZE_LIMIT? +# 2. Are there any closed indices that we can delete? +# If both conditions are true, keep on looping until one of the conditions is false. - # We need to determine the oldest open index. - # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. - # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. - # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. - OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - # We iterate through the open indices - for OPEN_INDEX in ${OPEN_INDICES}; do - # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream +while overlimit && closedindices; do + CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + for CLOSED_INDEX in ${CLOSED_INDICES}; do + # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. + # First, we need to check if the index is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated - # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" - DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN") - # We look up the data stream, and determine the write index - CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) - # We make sure we are not trying to delete a write index - if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit @@ -77,3 +57,30 @@ while overlimit; do done done +while overlimit; do + + # We need to determine OLDEST_OPEN_INDEX: + # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. + # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. + # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. + OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) + #OLDEST_OPEN_INDEX=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3 | head -1) + + for OPEN_INDEX in ${OPEN_INDICES}; do + # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. + # First, we need to check if the index is assigned as the current write index for a data stream + # To do so, we need to identify to which data stream this index is associated + DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" + DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + fi + if ! overlimit; then + exit + fi + done +done From 303fec6302b26370e8bb5c29d645f740e26e3dbb Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 28 Mar 2023 10:59:39 -0400 Subject: [PATCH 444/470] Fix verbiage for so-curator-cluster-delete-delete --- .../bin/so-curator-cluster-delete-delete | 40 ++++++++++--------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 4f136274e..7d67a76ff 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -38,18 +38,21 @@ closedindices() { while overlimit && closedindices; do CLOSED_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep close | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - for CLOSED_INDEX in ${CLOSED_INDICES}; do - # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. - # First, we need to check if the index is assigned as the current write index for a data stream + # We iterate through the closed indices + for CLOSED_INDEX in ${CLOSED_INDICES}; do + # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated + # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" DATASTREAM=$(echo "${CLOSED_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + # We look up the data stream, and determine the write index CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + # We make sure we are not trying to delete a write index if [ "${CLOSED_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${CLOSED_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${CLOSED_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit @@ -59,25 +62,26 @@ done while overlimit; do - # We need to determine OLDEST_OPEN_INDEX: + # We need to determine the oldest open index. # First, get the list of open indices using _cat/indices?h=index,status | grep open | awk '{print $1}'. - # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. - # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. + # Next, filter out any so-case indices and only select the remaining logstash-, so-, or .ds-logs- indices. + # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. OPEN_INDICES=$(/usr/sbin/so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3) - #OLDEST_OPEN_INDEX=$(so-elasticsearch-query _cat/indices?h=index,status | grep open | awk '{print $1}' | grep -v "so-case" | grep -E "(logstash-|so-|.ds-logs-)" | sort -t- -k3 | head -1) - + # We iterate through the open indices for OPEN_INDEX in ${OPEN_INDICES}; do - # Now that we've determined OLDEST_OPEN_INDEX, ask Elasticsearch to delete it. - # First, we need to check if the index is assigned as the current write index for a data stream + # Now that we've sorted the indices from oldest to newest, we need to check each index to see if it is assigned as the current write index for a data stream # To do so, we need to identify to which data stream this index is associated + # We extract the data stream name using the pattern below DATASTREAM_PATTERN="logs-[a-zA-Z_.]+-[a-zA-Z_.]+" DATASTREAM=$(echo "${OPEN_INDEX}" | grep -oE "$DATASTREAM_PATTERN") + # We look up the data stream, and determine the write index CURRENT_WRITE_INDEX=$(/usr/sbin/so-elasticsearch-query _data_stream/$DATASTREAM | jq -r .data_streams[0].indices[-1].index_name) + # We make sure we are not trying to delete a write index if [ "${OPEN_INDEX}" != "${CURRENT_WRITE_INDEX}" ]; then - # This should not be a write index, so we should be allowed to delete it - /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE - # Finally, write a log entry that says we deleted it. - echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} + # This should not be a write index, so we should be allowed to delete it + /usr/sbin/so-elasticsearch-query ${OPEN_INDEX} -XDELETE + # Finally, write a log entry that says we deleted it. + echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT (${LOG_SIZE_LIMIT} GB) - Index ${OPEN_INDEX} deleted ..." >> ${LOG} fi if ! overlimit; then exit From 942182e826f7d14ecb003fd3a864388b4e7429dc Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 28 Mar 2023 11:00:14 -0400 Subject: [PATCH 445/470] Remove additional copyright in so-curator-cluster-delete-delete --- salt/curator/files/bin/so-curator-cluster-delete-delete | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/curator/files/bin/so-curator-cluster-delete-delete b/salt/curator/files/bin/so-curator-cluster-delete-delete index 7d67a76ff..fe41ca1f0 100755 --- a/salt/curator/files/bin/so-curator-cluster-delete-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete-delete @@ -9,11 +9,6 @@ {%- set ELASTICSEARCH_HOST = GLOBALS.node_ip -%} {%- set RETENTION = salt['pillar.get']('elasticsearch:retention', ELASTICDEFAULTS.elasticsearch.retention, merge=true) -%} -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - LOG="/opt/so/log/curator/so-curator-cluster-delete.log" LOG_SIZE_LIMIT=$(/usr/sbin/so-elasticsearch-cluster-space-total {{ RETENTION.retention_pct}}) From 636505ef98edc335b76db1088e8256c411ad48b1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Mar 2023 11:18:56 -0400 Subject: [PATCH 446/470] Add license and common --- .../tools/sbin/so-elasticsearch-cluster-settings | 8 +++++++- salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines | 6 +++--- .../elasticsearch/tools/sbin/so-elasticsearch-roles-load | 6 ++++-- .../tools/sbin/so-elasticsearch-templates-load | 9 ++++++--- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings index 0cdec181e..2142372f2 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings @@ -1,4 +1,10 @@ -#!/bin/bash +#/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common ELASTICSEARCH_PORT=9200 diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 04cd86c23..b5b765b94 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -1,10 +1,10 @@ -#!/bin/bash -# +#/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common RETURN_CODE=0 diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load index 130e0f762..18e37e587 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load @@ -1,9 +1,11 @@ -#!/bin/bash +#/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + default_conf_dir=/opt/so/conf ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}" ELASTICSEARCH_PORT=9200 diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index a10d07e13..0530b1a73 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,7 +1,10 @@ -#!/bin/bash +#/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use -# this file except in compliance with the Elastic License 2.0. +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common default_conf_dir=/opt/so/conf ELASTICSEARCH_HOST="{{ GLOBALS.node_ip }}" From e77e645a361f3f15cb9a9e2e504a565fbbd994fd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Mar 2023 11:45:57 -0400 Subject: [PATCH 447/470] Update so-elasticsearch-cluster-space-total --- salt/common/tools/sbin/so-elasticsearch-cluster-space-total | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total index f7bd151ad..0e10b026c 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total @@ -7,6 +7,8 @@ . /usr/sbin/so-common +{% from 'vars/globals.map.jinja' import GLOBALS %} + TOTAL_AVAILABLE_SPACE=0 # Wait for ElasticSearch to initialize @@ -37,7 +39,11 @@ else fi # Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space +{% if GLOBALS.role == 'so-manager' %} +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBLAS.manager }} | awk '{print $5}'); do +{% else %} for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $5}'); do +{% endif %} size=$(echo $i | grep -oE '[0-9]+') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then From 492fe1fc8579f71ba4d0c3170941999cd91eba1b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Mar 2023 11:48:31 -0400 Subject: [PATCH 448/470] Ensure /usr/sbin is in path --- salt/common/tools/sbin/so-common | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 49b0d0527..2f436e86e 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -16,6 +16,11 @@ if [ -z $NOROOT ]; then fi fi +# Ensure /usr/sbin is in path +if ! echo "$PATH" | grep -q "/usr/sbin"; then + export PATH="$PATH:/usr/sbin" +fi + # Define a banner to separate sections banner="=========================================================================" From 74840264d74929307c65fe3372c94c8cb54cf989 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Mar 2023 11:49:05 -0400 Subject: [PATCH 449/470] Update so-elasticsearch-cluster-space-used --- salt/common/tools/sbin/so-elasticsearch-cluster-space-used | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-used b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used index dbc35440d..b8ac4f6e6 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-used +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-used @@ -6,11 +6,16 @@ # Elastic License 2.0. . /usr/sbin/so-common +{% from 'vars/globals.map.jinja' import GLOBALS %} TOTAL_AVAILABLE_SPACE=0 # Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space +{% if GLOBALS.role == 'so-manager' %} +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBALS.manager }} | awk '{print $3}'); do +{% else %} for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $3}'); do +{% endif %} size=$(echo $i | grep -oE '[0-9].*' | awk '{print int($1+0.5)}') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then From ed8f94463818ce99acf57710bcef16b7191085e7 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 15:55:33 +0000 Subject: [PATCH 450/470] Fix typo in GLOBALS reference --- salt/common/tools/sbin/so-elasticsearch-cluster-space-total | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total index 0e10b026c..57360d505 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total @@ -40,7 +40,7 @@ fi # Iterate through the output of _cat/allocation for each node in the cluster to determine the total available space {% if GLOBALS.role == 'so-manager' %} -for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBLAS.manager }} | awk '{print $5}'); do +for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBALS.manager }} | awk '{print $5}'); do {% else %} for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $5}'); do {% endif %} From 64446f585cdbed1e818a3c0bb42e62acb48d37c4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 28 Mar 2023 11:55:47 -0400 Subject: [PATCH 451/470] change #/bin/bash to #!/bin/bash --- salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete | 2 +- salt/common/tools/sbin/so-elastic-fleet-agent-policy-list | 2 +- salt/common/tools/sbin/so-elastic-fleet-agent-policy-view | 2 +- salt/common/tools/sbin/so-elastic-fleet-data-streams-list | 2 +- .../sbin/so-elastic-fleet-integration-policy-bulk-delete | 2 +- .../tools/sbin/so-elastic-fleet-integration-policy-delete | 2 +- .../tools/sbin/so-elastic-fleet-integration-policy-list | 2 +- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 ++-- salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status | 2 +- salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete | 2 +- salt/common/tools/sbin/so-elasticsearch-ilm-policy-load | 2 +- salt/common/tools/sbin/so-elasticsearch-ilm-policy-view | 2 +- salt/common/tools/sbin/so-elasticsearch-ilm-restart | 2 +- salt/common/tools/sbin/so-elasticsearch-ilm-stop | 2 +- .../elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load | 2 +- 15 files changed, 16 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete index fe21daae0..70b483424 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-delete @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list index 479fdc72d..d81067a7e 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-list @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view index 5f267220b..5e5b62de0 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view +++ b/salt/common/tools/sbin/so-elastic-fleet-agent-policy-view @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-data-streams-list b/salt/common/tools/sbin/so-elastic-fleet-data-streams-list index 238fc8ada..b3e35fdba 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-data-streams-list +++ b/salt/common/tools/sbin/so-elastic-fleet-data-streams-list @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete index 4596774b4..ac600ab40 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-bulk-delete @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete index a8601028c..ded8da808 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-delete @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list index 07d2822fb..9dffc613c 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-list @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index be4ec5246..4efdd5784 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the @@ -134,4 +134,4 @@ echo echo echo "Setting up SOC - Salt_Relay Logs package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-salt-relay-logs","namespace":"so","description":"Security Onion - Salt Relay - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/salt-relay.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay","tags":[]}}}}}}' -echo \ No newline at end of file +echo diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status index db31dcb0f..130a7cf16 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete index 108dd1178..2be9dabb2 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load index dda521736..26ce487a7 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-load @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view index d69e328fe..426b6938d 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-policy-view @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-restart b/salt/common/tools/sbin/so-elasticsearch-ilm-restart index 7f422ed6e..54654b251 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-restart +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-restart @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/common/tools/sbin/so-elasticsearch-ilm-stop b/salt/common/tools/sbin/so-elasticsearch-ilm-stop index 23c068918..4868fd86d 100755 --- a/salt/common/tools/sbin/so-elasticsearch-ilm-stop +++ b/salt/common/tools/sbin/so-elasticsearch-ilm-stop @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load index dda521736..26ce487a7 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the From 5f49a120de21d23357bd247d735bcb65ebf1d44a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Mar 2023 11:56:51 -0400 Subject: [PATCH 452/470] Update so-elasticsearch-templates-load --- salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load index 0530b1a73..386026f0c 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the From 60d770411ae9c0f0c2a0921a89da41e191e80477 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Mar 2023 11:57:07 -0400 Subject: [PATCH 453/470] Update so-elasticsearch-roles-load --- salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load index 18e37e587..17265a7c4 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the From 591129b98ceddb203feb43ec9284f2e84642e856 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Mar 2023 11:57:22 -0400 Subject: [PATCH 454/470] Update so-elasticsearch-pipelines --- salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index b5b765b94..7fdc6ff7b 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the @@ -51,4 +51,4 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then fi else exit $RETURN_CODE -fi \ No newline at end of file +fi From 4efe22efb38058c0c2df984d8d4dd00ae66c7be3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 28 Mar 2023 11:57:41 -0400 Subject: [PATCH 455/470] Update so-elasticsearch-cluster-settings --- salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings index 2142372f2..83a997845 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings @@ -1,4 +1,4 @@ -#/bin/bash +#!/bin/bash # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the From 6099a04e414d521fba6134c012ed9d7e7a8e6e28 Mon Sep 17 00:00:00 2001 From: Wes Date: Tue, 28 Mar 2023 16:04:54 +0000 Subject: [PATCH 456/470] Change how the size is determined, in case there a decimal value is provided --- salt/common/tools/sbin/so-elasticsearch-cluster-space-total | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total index 57360d505..3faa2a7a9 100755 --- a/salt/common/tools/sbin/so-elasticsearch-cluster-space-total +++ b/salt/common/tools/sbin/so-elasticsearch-cluster-space-total @@ -44,7 +44,7 @@ for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | grep -v {{ GLOBALS {% else %} for i in $(/usr/sbin/so-elasticsearch-query _cat/allocation | awk '{print $5}'); do {% endif %} - size=$(echo $i | grep -oE '[0-9]+') + size=$(echo $i | grep -oE '[0-9].*' | awk '{print int($1+0.5)}') unit=$(echo $i | grep -oE '[A-Za-z]+') if [ $unit = "tb" ]; then size=$(( size * 1024 )) From af4acd55970cff5d6188836964129c85be3f1b2e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Tue, 28 Mar 2023 14:37:28 -0400 Subject: [PATCH 457/470] add path to first highstate cron --- salt/setup/highstate_cron.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/setup/highstate_cron.sls b/salt/setup/highstate_cron.sls index dcbab4d8d..c14f4e1f4 100644 --- a/salt/setup/highstate_cron.sls +++ b/salt/setup/highstate_cron.sls @@ -1,6 +1,6 @@ post_setup_cron: cron.present: - - name: 'salt-call state.highstate' + - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate' - user: root - minute: '*/1' - identifier: post_setup_cron From d5e17da9d35d66049f1a8d75189e6d86f431d4aa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 28 Mar 2023 16:20:40 -0400 Subject: [PATCH 458/470] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 197c4d5c2..005119baa 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0 +2.4.1 From 3cd1598067b95d4acf541783918d632b2c308a49 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 Mar 2023 16:11:50 +0000 Subject: [PATCH 459/470] Only perform bond interface operations if it is not a cloud installation --- salt/common/tools/sbin/so-common | 48 +++++++++++++++++--------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 2f436e86e..70f4a1cef 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -54,33 +54,37 @@ add_interface_bond0() { ethtool -K "$BNIC" $i off &>/dev/null fi done - # Check if the bond slave connection has already been created - nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" - local found_int=$? - if [[ $found_int != 0 ]]; then - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ - ethernet.mtu "$MTU" \ - connection.autoconnect "yes" - else - local int_uuid - int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') + if ! [[ is_cloud ]]; then + # Check if the bond slave connection has already been created + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" + local found_int=$? - nmcli con mod "$int_uuid" \ - ethernet.mtu "$MTU" \ - connection.autoconnect "yes" - fi + if [[ $found_int != 0 ]]; then + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ + ethernet.mtu "$MTU" \ + connection.autoconnect "yes" + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') + + nmcli con mod "$int_uuid" \ + ethernet.mtu "$MTU" \ + connection.autoconnect "yes" + fi + fi ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on - - # Bring the slave interface up - if [[ $verbose == true ]]; then - nmcli con up "bond0-slave-$BNIC" - else - nmcli con up "bond0-slave-$BNIC" &>/dev/null + + if ! [[ is_cloud ]]; then + # Bring the slave interface up + if [[ $verbose == true ]]; then + nmcli con up "bond0-slave-$BNIC" + else + nmcli con up "bond0-slave-$BNIC" &>/dev/null + fi fi - if [ "$nic_error" != 0 ]; then return "$nic_error" fi From dfd345634360c35be40e5014dc7104fd18046236 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 Mar 2023 16:15:41 +0000 Subject: [PATCH 460/470] Add logging for cloud detection and interface settings --- setup/so-functions | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a977ed142..e01d9af35 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -802,9 +802,11 @@ compare_main_nic_ip() { configure_network_sensor() { info "Setting up sensor interface" - if [[ $is_cloud ]]; then + if [[ $is_cloud ]]; then + info "Configuring traditional interface settings, since this is a cloud installation..." local nmcli_con_args=( "type" "ethernet" ) else + info "Configuring bond interface settings, since this is a not a cloud installation..." local nmcli_con_args=( "type" "bond" "mode" "0" ) fi @@ -909,7 +911,7 @@ create_repo() { detect_cloud() { info "Testing if setup is running on a cloud instance..." - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then info "Detected a cloud installation..." && export is_cloud="true"; fi } detect_os() { @@ -1247,11 +1249,12 @@ generate_interface_vars() { export MTU # Set interface variable - if [[ $is_cloud ]]; then + if [[ $is_cloud ]]; then INTERFACE=${BNICS[0]} else INTERFACE='bond0' fi + info "Interface set to $INTERFACE" export INTERFACE } From d4cba6908e609b28da62925d2d558e829591d15a Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 30 Mar 2023 16:17:34 +0000 Subject: [PATCH 461/470] Use dynamic interface value instead of explicitly setting it to 'bond0' --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index f51ddb316..f10ff8c48 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -566,7 +566,7 @@ if ! [[ -f $install_opt_file ]]; then export NODE_DESCRIPTION=$NODE_DESCRIPTION export MAINIP=$MAINIP export PATCHSCHEDULENAME=$PATCHSCHEDULENAME - export INTERFACE="bond0" + export INTERFACE=$INTERFACE export CORECOUNT=$lb_procs export LSHOSTNAME=$HOSTNAME export LSHEAP=$LS_HEAP_SIZE From 3e08506c4e5dd82ad73f1ebe43339697f1d60391 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 30 Mar 2023 13:26:36 -0400 Subject: [PATCH 462/470] Fix syntax for $is_cloud test --- salt/common/tools/sbin/so-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 70f4a1cef..06d359748 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -55,7 +55,7 @@ add_interface_bond0() { fi done - if ! [[ is_cloud ]]; then + if ! [[ $is_cloud ]]; then # Check if the bond slave connection has already been created nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" local found_int=$? @@ -77,7 +77,7 @@ add_interface_bond0() { ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on - if ! [[ is_cloud ]]; then + if ! [[ $is_cloud ]]; then # Bring the slave interface up if [[ $verbose == true ]]; then nmcli con up "bond0-slave-$BNIC" From 921e79c56c821e8d198a56d1bcd4048ef325c5b0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 30 Mar 2023 16:55:30 -0400 Subject: [PATCH 463/470] fix formatting in so-user --- salt/common/tools/sbin/so-user | 98 +++++++++++++++++----------------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index aaa43cd9e..3c712491a 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -13,74 +13,74 @@ DEFAULT_ROLE=analyst function usage() { cat < [supporting parameters]" + Usage: $0 [supporting parameters] - where is one of the following:" + where is one of the following: - list: Lists all user email addresses currently defined in the identity system" + list: Lists all user email addresses currently defined in the identity system - add: Adds a new user to the identity system" - Required parameters: " - --email " - Optional parameters: " - --role (defaults to $DEFAULT_ROLE)" - --firstName (defaults to blank)" - --lastName (defaults to blank)" - --note (defaults to blank)" + add: Adds a new user to the identity system + Required parameters: + --email + Optional parameters: + --role (defaults to $DEFAULT_ROLE) + --firstName (defaults to blank) + --lastName (defaults to blank) + --note (defaults to blank) --skip-sync (defers the Elastic sync until the next scheduled time) - addrole: Grants a role to an existing user" - Required parameters: " - --email " - --role " - Optional parameters: " + addrole: Grants a role to an existing user + Required parameters: + --email + --role + Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - delrole: Removes a role from an existing user" - Required parameters: " - --email " - --role " - Optional parameters: " + delrole: Removes a role from an existing user + Required parameters: + --email + --role + Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - password: Updates a user's password and disables MFA" - Required parameters: " - --email " - Optional parameters: " + password: Updates a user's password and disables MFA + Required parameters: + --email + Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - profile: Updates a user's profile information" - Required parameters: " - --email " - Optional parameters: " - --role (defaults to $DEFAULT_ROLE)" - --firstName (defaults to blank)" - --lastName (defaults to blank)" - --note (defaults to blank)" + profile: Updates a user's profile information + Required parameters: + --email + Optional parameters: + --role (defaults to $DEFAULT_ROLE) + --firstName (defaults to blank) + --lastName (defaults to blank) + --note (defaults to blank) - enable: Enables a user" - Required parameters: " - --email " - Optional parameters: " + enable: Enables a user + Required parameters: + --email + Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - disable: Disables a user" - Required parameters: " - --email " - Optional parameters: " + disable: Disables a user + Required parameters: + --email + Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - validate: Validates that the given email address and password are acceptable" - Required parameters: " - --email " + validate: Validates that the given email address and password are acceptable + Required parameters: + --email - valemail: Validates that the given email address is acceptable; requires 'email' parameter" - Required parameters: " - --email " + valemail: Validates that the given email address is acceptable; requires 'email' parameter + Required parameters: + --email - valpass: Validates that a password is acceptable" + valpass: Validates that a password is acceptable - Note that the password can be piped into STDIN to avoid prompting for it" + Note that the password can be piped into STDIN to avoid prompting for it USAGE_EOF exit 1 } From b6b49c876b74834c558f538a6791b54e0498865a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 31 Mar 2023 08:51:51 -0400 Subject: [PATCH 464/470] UPGRADE: Elastic to 8.7.0 --- salt/kibana/files/config_saved_objects.ndjson | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index cc25b61e4..e2eced11e 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.6.2","id": "8.6.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.0","id": "8.7.0","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} From 91c990e30a9290f12112d257ef0914276d57b37f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 31 Mar 2023 08:52:43 -0400 Subject: [PATCH 465/470] UPGRADE: Elastic 8.7.0 --- salt/kibana/bin/so-kibana-config-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index 63ad170f2..12466cae1 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -63,7 +63,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.6.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.7.0" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done From 68e8c159cef65d7126519210a7b587fed6cbf66e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 31 Mar 2023 09:21:59 -0400 Subject: [PATCH 466/470] Update analyst.json --- salt/elasticsearch/roles/analyst.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/roles/analyst.json b/salt/elasticsearch/roles/analyst.json index fc788e2f1..2fd10ab47 100644 --- a/salt/elasticsearch/roles/analyst.json +++ b/salt/elasticsearch/roles/analyst.json @@ -18,6 +18,7 @@ "indices": [ { "names": [ + "logs-*", "so-*" ], "privileges": [ @@ -60,4 +61,4 @@ } ], "run_as": [] -} \ No newline at end of file +} From d0dff9572d955fc71cfac3853a23e94f634f4942 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 31 Mar 2023 09:22:15 -0400 Subject: [PATCH 467/470] Update auditor.json --- salt/elasticsearch/roles/auditor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/roles/auditor.json b/salt/elasticsearch/roles/auditor.json index 26df1207c..6669bd2f2 100644 --- a/salt/elasticsearch/roles/auditor.json +++ b/salt/elasticsearch/roles/auditor.json @@ -16,6 +16,7 @@ "indices": [ { "names": [ + "logs-*", "so-*" ], "privileges": [ @@ -56,4 +57,4 @@ } ], "run_as": [] -} \ No newline at end of file +} From e945f1c38f85988f566bfd809b1d708d41672660 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 31 Mar 2023 09:22:28 -0400 Subject: [PATCH 468/470] Update limited-analyst.json --- salt/elasticsearch/roles/limited-analyst.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/roles/limited-analyst.json b/salt/elasticsearch/roles/limited-analyst.json index 2b3797dbc..9186b732e 100644 --- a/salt/elasticsearch/roles/limited-analyst.json +++ b/salt/elasticsearch/roles/limited-analyst.json @@ -4,6 +4,7 @@ "indices": [ { "names": [ + "logs-*", "so-*" ], "privileges": [ @@ -46,4 +47,4 @@ } ], "run_as": [] -} \ No newline at end of file +} From a8b6470a147412b869ef3edad7ff901579f72b8e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 31 Mar 2023 09:22:42 -0400 Subject: [PATCH 469/470] Update limited-auditor.json --- salt/elasticsearch/roles/limited-auditor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/roles/limited-auditor.json b/salt/elasticsearch/roles/limited-auditor.json index ecab5016a..902567523 100644 --- a/salt/elasticsearch/roles/limited-auditor.json +++ b/salt/elasticsearch/roles/limited-auditor.json @@ -4,6 +4,7 @@ "indices": [ { "names": [ + "logs-*", "so-*" ], "privileges": [ @@ -44,4 +45,4 @@ } ], "run_as": [] -} \ No newline at end of file +} From ad000550a695ddb90c677d1f13e5a2bd23856c71 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 31 Mar 2023 16:46:24 -0400 Subject: [PATCH 470/470] Update elastic agent binaries - 8.7.0 --- salt/common/tools/sbin/so-elastic-fleet-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 5eeccb8db..ab54d42a5 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,9 +97,9 @@ salt-call state.apply elasticfleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-darwin-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-linux-x86_64.tar.gz -wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-windows-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-darwin-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-linux-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.7.0/so-elastic-agent-8.7.0-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder